vanhauser-thc/thc-hydra

mssql module fails on Windows auth with known correct credentials

Open

#732 opened on Mar 10, 2022

View on GitHub
 (6 comments) (0 reactions) (0 assignees)C (1,913 forks)batch import
enhancementhelp wanted

Repository metrics

Stars
 (8,689 stars)
PR merge metrics
 (Avg merge 2d 14h) (2 merged PRs in 30d)

Description

Describe the bug I am trying to use Hydra to brute-force MSSQL logins (disclaimer: authorized). Before running larger user and password lists, I am trying to verify accurate function of hydra against the SQL Server with a known username and password. Using the Hydra mssql module, I cannot get this to work correctly, although I know for a fact (both by connecting successfully and cracking successfully with other tools) these credentials work.

I believe the issue may be related to Windows authentication, which is the default for MSSQL and also the configuration setting of the server, meaning that my username requires a domain in addition to the password to successfully connect. I have tried all of the following forms of command to no avail (actual username, password, host, and port redacted).

hydra -l DOMAIN\\username -p password -s 7777 mssql://10.10.10.51:7777 -V
hydra -l "DOMAIN\\username" -p password -s 7777 mssql://10.10.10.51:7777 -V
hydra -l username@DOMAIN -p password -s 7777 mssql://10.10.10.51:7777 -V
hydra -l "username@DOMAIN" -p password -s 7777 mssql://10.10.10.51:7777 -V
hydra -l username -p password -s 7777 mssql://10.10.10.51:7777 -V

All of these commands result in the same similar output as below:

Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-10 18:08:02
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking mssql://10.10.10.51:7777/
[ATTEMPT] target 10.10.10.51 - login "DOMAIN\username" - pass "password" - 1 of 1 [child 0] (0/0)
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-10 18:08:03

To Reproduce Execute Hydra with a command similar to the one above against a SQL Server configured to support Windows authentication only and with a domain username.

Expected behavior With a correct username and password, I'd expect Hydra to properly connect and identify that the credentials were correct.

Screenshots N/A

Desktop (please complete the following information):

  • OS:
└─$ cat /etc/os-release                                       
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
ID=kali
VERSION="2021.4"
VERSION_ID="2021.4"
VERSION_CODENAME="kali-rolling"
ID_LIKE=debian
  • Hydra version:
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak 
  • MS SQL SERVER:
Microsoft SQL Server 2014, 12.0.6433.1 (X64)

Additional context N/A

Any help getting this working would be greatly appreciated.

Contributor guide