NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard
verified publisher icon Pennyw0rth

[MSSQL] Add ChannelBinding computing for MSSQL

Open Dfte opened this issue 3 months ago • 5 comments

This PR reworks the MSSQL protocol to support Channel Binding token implementation based on https://github.com/fortra/impacket/pull/1986.

The PR is simple, first I had to remove the base sock computation since TDS.py handles it itself. Next I add to switch the TLS context in the enum_host_infos function:

image

Basically the set_tls_context, creates a TLS tunnel that allows passing data to encrypt and receiving unencrypted data. The Channel Binding Token is computed inside that function and added to the NTLMSSP messages when necessary. As such we can now connect to CBT protected databases:

image

That said, the Kerberos authentication doesn't seem to work with or without the patch (without below):

Image

I'll fix that before merging.

Dfte avatar Sep 28 '25 15:09 Dfte

Ah shit, just realised it breaks the enum_host when TLS is not required:

image

Dfte avatar Sep 28 '25 16:09 Dfte

At this point:

  • Enforced ChannelBinding works:
image
  • TLS enforced without ChannelBinding works:
image
  • TLS not enforced works as well:
image

Need to patch the Kerberos error tho

Dfte avatar Sep 28 '25 17:09 Dfte

My bad it was just a DNS error:

image

All good then.

Dfte avatar Sep 28 '25 17:09 Dfte

The MSSQL protocol now prints whether encryption is used or not:

  • Used:
image
  • Not used:
image

Dfte avatar Sep 28 '25 19:09 Dfte

https://github.com/Pennyw0rth/NetExec/issues/713 Will close this one

Dfte avatar Sep 30 '25 13:09 Dfte

@Dfte so far everything is looking good, but this PR adds an encryption flag and not the cbt flag, correct? If so we should unlink #713 and change the title.

NeffIsBack avatar Dec 05 '25 14:12 NeffIsBack

@Dfte so far everything is looking good, but this PR adds an encryption flag and not the cbt flag, correct? If so we should unlink #713 and change the title.

Ah got it! Yeah I can only add the Encryption flag because CBT cannot be checked without an actual authentication. I can add the check but that means:

  • Having valid credentials
  • Sending one authent with the correct CBT token
  • Sending one authent with an invalid CBT token

If both authents work -> CBT not required / activated Else -> CBT Not required

So I wanted to push that as a module rather than a host_enum_check.

Dfte avatar Dec 05 '25 17:12 Dfte

@Dfte so far everything is looking good, but this PR adds an encryption flag and not the cbt flag, correct? If so we should unlink #713 and change the title.

Ah got it! Yeah I can only add the Encryption flag because CBT cannot be checked without an actual authentication. I can add the check but that means:

  • Having valid credentials
  • Sending one authent with the correct CBT token
  • Sending one authent with an invalid CBT token

If both authents work -> CBT not required / activated Else -> CBT Not required

So I wanted to push that as a module rather than a host_enum_check.

Makes sense 👍 Then a module is probably best!

NeffIsBack avatar Dec 05 '25 17:12 NeffIsBack