vanhauser-thc/thc-hydra

mssql module fails on Windows auth with known correct credentials

Open

#732 opened on 2022年3月10日

GitHub で見る
 (6 comments) (0 reactions) (0 assignees)C (8,689 stars) (1,913 forks)batch import
enhancementhelp wanted

説明

Describe the bug I am trying to use Hydra to brute-force MSSQL logins (disclaimer: authorized). Before running larger user and password lists, I am trying to verify accurate function of hydra against the SQL Server with a known username and password. Using the Hydra mssql module, I cannot get this to work correctly, although I know for a fact (both by connecting successfully and cracking successfully with other tools) these credentials work.

I believe the issue may be related to Windows authentication, which is the default for MSSQL and also the configuration setting of the server, meaning that my username requires a domain in addition to the password to successfully connect. I have tried all of the following forms of command to no avail (actual username, password, host, and port redacted).

hydra -l DOMAIN\\username -p password -s 7777 mssql://10.10.10.51:7777 -V
hydra -l "DOMAIN\\username" -p password -s 7777 mssql://10.10.10.51:7777 -V
hydra -l username@DOMAIN -p password -s 7777 mssql://10.10.10.51:7777 -V
hydra -l "username@DOMAIN" -p password -s 7777 mssql://10.10.10.51:7777 -V
hydra -l username -p password -s 7777 mssql://10.10.10.51:7777 -V

All of these commands result in the same similar output as below:

Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-10 18:08:02
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking mssql://10.10.10.51:7777/
[ATTEMPT] target 10.10.10.51 - login "DOMAIN\username" - pass "password" - 1 of 1 [child 0] (0/0)
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-10 18:08:03

To Reproduce Execute Hydra with a command similar to the one above against a SQL Server configured to support Windows authentication only and with a domain username.

Expected behavior With a correct username and password, I'd expect Hydra to properly connect and identify that the credentials were correct.

Screenshots N/A

Desktop (please complete the following information):

  • OS:
└─$ cat /etc/os-release                                       
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
ID=kali
VERSION="2021.4"
VERSION_ID="2021.4"
VERSION_CODENAME="kali-rolling"
ID_LIKE=debian
  • Hydra version:
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak
  • MS SQL SERVER:
Microsoft SQL Server 2014, 12.0.6433.1 (X64)

Additional context N/A

Any help getting this working would be greatly appreciated.

コントリビューターガイド

技術スタック
c
領域
security
Issue 種別
bug
難度新しい貢献者にとっての実装難度です。1 は非常に小さな変更、5 は専門的な作業です。
3
推定時間経験ある貢献者が調査、実装、テスト、pull request 準備にかけるおおよその時間範囲です。
1-3 hours
活動状況Issue が今どれだけ取り組みやすいかを示します。新しい、活発、古い、ブロック中、またはメンテナー入力待ちなどです。
stale
明確さ期待される変更、受け入れ条件、次の手順がどれだけ明確かを示します。
mostly clear
前提条件
C programmingWindows authenticationMSSQL protocol
初心者向け度初回貢献者にどれだけ取り組みやすいかを 1-100 で推定したスコアです。
20
調査方針
Investigate the hydra mssql module's authentication code, specifically how it handles Windows integrated authentication vs SQL authentication. Look at the mssql.c file in the hydra source code. The issue suggests that the module fails to pass domain\username correctly. Check if the module parses the login format properly and whether it uses NTLM or other Windows auth methods. Consider testing with a SQL Server set to mixed mode to isolate the issue.