NetExec
NetExec copied to clipboard
Pennyw0rth
MSSQL logfile is missing information compared to stdout when using `--debug`
Describe the bug
The mssql protocol logfile is missing output when using the --debug flag. There are missing INFO and DEBUG output in the logfile that are visible to stdout.
Items missing from logfile:
- DEBUG containing NXC version
- MSSQL INFO line with system information
- MSSQL INFO line containing authentication result
- MSSQL_PRIV INFO line containing sysadmin detection
- MSSQL_PRIV INFO line containing sysadmin privesc result
To Reproduce
netexec mssql 192.168.0.100 -u useraccount -p REDACTED -d example.com --log mssql-debug.log --debug
- Stdout:
[15:55:32] DEBUG NXC VERSION: 1.2.0 - ItsAlwaysDNS - kali cli.py:27
DEBUG Added file handler: <RotatingFileHandler logger.py:192
...snip...
INFO Resolved domain: example.com with dns, kdcHost: 192.168.0.1 mssql.py:140
[15:55:32] INFO MSSQL 192.168.0.100 1433 SQLSERVER Windows 10 / Server 2019 Build mssql.py:143
17763 (name:SQLSERVER) (domain:example.com)
MSSQL 192.168.0.100 1433 SQLSERVER Windows 10 / Server 2019 Build
17763 (name:SQLSERVER) (domain:example.com)
DEBUG Trying to authenticate using plaintext with domain connection.py:476
[15:55:32] INFO MSSQL 192.168.0.100 1433 SQLSERVER mssql.py:225
example.com\useraccount:REDACTED
MSSQL 192.168.0.100 1433 SQLSERVER
example.com\useraccount:REDACTED
DEBUG Calling command arguments connection.py:229
DEBUG Closing connection to: 192.168.0.100 connection.py:170
- Logfile is missing the initial DEBUG with the netexec version, the MSSQL system information INFO output, and the final MSSQL authentication output:
2024-07-26 15:55:32,239 - DEBUG - Added file handler: <RotatingFileHandler /redacted/mssql-debug.log (NOTSET)>
...snip...
2024-07-26 15:55:32,595 - INFO - Resolved domain: example.com with dns, kdcHost: 192.168.0.1
2024-07-26 15:55:32,598 - DEBUG - Trying to authenticate using plaintext with domain
2024-07-26 15:55:32,618 - DEBUG - Calling command arguments
2024-07-26 15:55:32,619 - DEBUG - Closing connection to: 192.168.0.100
netexec mssql 192.168.0.100 -u useraccount -p REDACTED -d example.com --log mssql-mssql_priv-privesc-debug.log -M mssql_priv -o ACTION=privesc --debug
- stdout:
[15:13:26] DEBUG NXC VERSION: 1.2.0 - ItsAlwaysDNS - kali cli.py:27
DEBUG Added file handler: <RotatingFileHandler /redacted/mssql-mssql_priv-privesc-debug.log (NOTSET)>
...snip...
INFO Resolved domain: example.com with dns, kdcHost: 192.168.0.1 mssql.py:140
[15:13:27] INFO MSSQL 192.168.0.100 1433 SQLSERVER Windows 10 / Server 2019 Build 17763 (name:SQLSERVER) (domain:example.com) mssql.py:143
MSSQL 192.168.0.100 1433 SQLSERVER Windows 10 / Server 2019 Build 17763 (name:SQLSERVER) (domain:example.com)
DEBUG Trying to authenticate using plaintext with domain connection.py:476
[15:13:27] INFO MSSQL 192.168.0.100 1433 SQLSERVER example.com\useraccount:REDACTED mssql.py:225
MSSQL 192.168.0.100 1433 SQLSERVER example.com\useraccount:REDACTED
INFO Loading modules for target: 192.168.0.100
...snip...
DEBUG Response: [{'name': 'master'}, {'name': 'tempdb'}, {'name': 'model'}, {'name': 'msdb'}, {'name': 'REDACTED_DB'}, {'name': 'REDACTED_DB'}, {'name': 'REDACTED_DB'}, {'name': 'REDACTED_DB'}, {'name': mssql_priv.py:273
'REDACTED_DB'}, {'name': 'REDACTED_DB'}, {'name': 'REDACTED_DB'}, {'name': 'REDACTED_DB'}, {'name': 'REDACTED_DB'}]
DEBUG Response Type: <class 'list'> mssql_priv.py:274
[15:13:27] INFO MSSQL_PRIV 192.168.0.100 1433 SQLSERVER EXAMPLE\useraccount is sysadmin mssql_priv.py:127
MSSQL_PRIV 192.168.0.100 1433 SQLSERVER EXAMPLE\useraccount is sysadmin
[15:13:27] INFO MSSQL_PRIV 192.168.0.100 1433 SQLSERVER EXAMPLE\useraccount is now a sysadmin! (Pwn3d!) mssql_priv.py:89
MSSQL_PRIV 192.168.0.100 1433 SQLSERVER EXAMPLE\useraccount is now a sysadmin! (Pwn3d!)
DEBUG Closing connection to: 192.168.0.100
- Logfile is missing the initial DEBUG, the MSSQL system information INFO output, and the MSSQL_PRIV action INFO output
2024-07-26 14:31:20,868 - DEBUG - Added file handler: <RotatingFileHandler /redacted/mssql-mssql_priv-privesc-debug.log (NOTSET)>
...snip...
2024-07-26 14:31:21,579 - INFO - Resolved domain: example.com with dns, kdcHost: 192.168.0.1
2024-07-26 14:31:21,582 - DEBUG - Trying to authenticate using plaintext with domain
2024-07-26 14:31:21,602 - INFO - Loading modules for target: 192.168.0.100
...snip...
2024-07-26 14:31:21,619 - DEBUG - Response Type: <class 'list'>
2024-07-26 14:31:21,667 - DEBUG - Closing connection to: 192.168.0.100
Expected behavior
The logfile should contain the same output as STDOUT when using --debug.
NetExec info
- OS: Kali
- Version of nxc: 1.2.0 - ItsAlwaysDNS - kali
- Installed from: apt
Additional context
Raw log and stdout files are attached, too.
MSSQL debug: netexec mssql 192.168.0.100 -u useraccount -p REDACTED -d example.com --log mssql-debug.log --debug:
- mssql-debug.log.txt is the logfile
- mssql-debug.stdout.txt is stdout w/command
MSSQL with MSSQL_PRIV (default): netexec mssql 192.168.0.100 -u useraccount -p REDACTED -d example.com --log mssql-mssql_priv.log -M mssql_priv
- mssql-mssql_priv.log.txt is the logfile
- mssql-mssql_priv.stdout.txt is stdout w/command
MSSQL with MSSQL_PRIV privesc debug: netexec mssql 192.168.0.100 -u useraccount -p REDACTED -d example.com --log mssql-mssql_priv-privesc-debug.log -M mssql_priv -o ACTION=privesc --debug
- mssql-mssql_priv-privesc-debug.log.txt is the logfile
- mssql-mssql_priv-privesc-debug.stdout.txt is stdout w/command
