vanhauser-thc/thc-hydra

mssql module fails on Windows auth with known correct credentials

Open

#732 opened on Mar 10, 2022

View on GitHub
 (6 comments) (0 reactions) (0 assignees)C (8,689 stars) (1,913 forks)batch import
enhancementhelp wanted

Description

Describe the bug I am trying to use Hydra to brute-force MSSQL logins (disclaimer: authorized). Before running larger user and password lists, I am trying to verify accurate function of hydra against the SQL Server with a known username and password. Using the Hydra mssql module, I cannot get this to work correctly, although I know for a fact (both by connecting successfully and cracking successfully with other tools) these credentials work.

I believe the issue may be related to Windows authentication, which is the default for MSSQL and also the configuration setting of the server, meaning that my username requires a domain in addition to the password to successfully connect. I have tried all of the following forms of command to no avail (actual username, password, host, and port redacted).

hydra -l DOMAIN\\username -p password -s 7777 mssql://10.10.10.51:7777 -V
hydra -l "DOMAIN\\username" -p password -s 7777 mssql://10.10.10.51:7777 -V
hydra -l username@DOMAIN -p password -s 7777 mssql://10.10.10.51:7777 -V
hydra -l "username@DOMAIN" -p password -s 7777 mssql://10.10.10.51:7777 -V
hydra -l username -p password -s 7777 mssql://10.10.10.51:7777 -V

All of these commands result in the same similar output as below:

Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-10 18:08:02
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking mssql://10.10.10.51:7777/
[ATTEMPT] target 10.10.10.51 - login "DOMAIN\username" - pass "password" - 1 of 1 [child 0] (0/0)
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-10 18:08:03

To Reproduce Execute Hydra with a command similar to the one above against a SQL Server configured to support Windows authentication only and with a domain username.

Expected behavior With a correct username and password, I'd expect Hydra to properly connect and identify that the credentials were correct.

Screenshots N/A

Desktop (please complete the following information):

  • OS:
└─$ cat /etc/os-release                                       
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
ID=kali
VERSION="2021.4"
VERSION_ID="2021.4"
VERSION_CODENAME="kali-rolling"
ID_LIKE=debian
  • Hydra version:
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak
  • MS SQL SERVER:
Microsoft SQL Server 2014, 12.0.6433.1 (X64)

Additional context N/A

Any help getting this working would be greatly appreciated.

Contributor guide

Tech stack
c
Domain
security
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
C programmingWindows authenticationMSSQL protocol
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
20
Research direction
Investigate the hydra mssql module's authentication code, specifically how it handles Windows integrated authentication vs SQL authentication. Look at the mssql.c file in the hydra source code. The issue suggests that the module fails to pass domain\username correctly. Check if the module parses the login format properly and whether it uses NTLM or other Windows auth methods. Consider testing with a SQL Server set to mixed mode to isolate the issue.