ncrack
ncrack copied to clipboard
Published
20 hours ago •
nmap
nmap
ncrack fails on mssql service when creds require domain
I seem to be unable to get ncrack to work on the mssql service when Windows auth (the SQL Server default auth config) requires a domain with the username to authenticate. I have tried several forms of the command to try to get this to work (actual host, port, username, and password redacted):
ncrack -vvvv -ddddd --user myusername --pass mypassword mssql://10.10.10.51:7777 -m mssql:domain=DOMAIN
ncrack -vvvv -ddddd --user myusername --pass mypassword mssql://10.10.10.51:7777 -m mssql:domain=DOMAIN,db=MyDatabase
ncrack -vvvv -ddddd --user DOMAIN\\myusername --pass mypassword mssql://10.10.10.51:7777
ncrack -vvvv -ddddd --user DOMAIN\\myusername --pass mypassword mssql://10.10.10.51:7777 -m mssql:domain=DOMAIN
ncrack -vvvv -ddddd --user DOMAIN\\myusername --pass mypassword mssql://10.10.10.51:7777 -m mssql:domain=DOMAIN,db=MyDatabase
ncrack -vvvv -ddddd --user "DOMAIN\myusername" --pass mypassword mssql://10.10.10.51:7777
ncrack -vvvv -ddddd --user "DOMAIN\myusername" --pass mypassword mssql://10.10.10.51:7777 -m mssql:domain=DOMAIN
ncrack -vvvv -ddddd --user "DOMAIN\myusername" --pass mypassword mssql://10.10.10.51:7777 -m mssql:domain=DOMAIN,db=MyDatabase
In all cases, the output is similar:
Starting Ncrack 0.7 ( http://ncrack.org ) at 2022-03-10 20:43 UTC
mssql://10.10.10.51:7777 (EID 1) Attempts: total 1 completed 1 supported 1 --- rate 6.48
mssql://10.10.10.51:7777 finished.
nsock_loop returned 3
Ncrack done: 1 service scanned in 3.00 seconds.
Probes sent: 1 | timed-out: 0 | prematurely-closed: 0
Ncrack finished.
By outputting the plan, I can see that the db and domain parameters, as well as the service and port seem to be getting recognized properly:
ncrack -vvvv -ddddd --user myusername --pass mypassword mssql://10.10.10.51:7777 -m mssql:domain=DOMAIN,db=MyDatabase -sL
Starting Ncrack 0.7 ( http://ncrack.org ) at 2022-03-10 20:50 UTC
----- [ Timing Template ] -----
cl=7, CL=80, at=0, cd=0, cr=30, to=0
----- [ ServicesTable ] -----
SERVICE cl CL at cd cr to ssl path db domain
ftp:21 N/A N/A N/A N/A N/A N/A no null null null
ssh:22 N/A N/A N/A N/A N/A N/A no null null null
telnet:23 N/A N/A N/A N/A N/A N/A no null null null
http:80 N/A N/A N/A N/A N/A N/A no null null null
wordpress:80 N/A N/A N/A N/A N/A N/A no null null null
wp:80 N/A N/A N/A N/A N/A N/A no null null null
joomla:80 N/A N/A N/A N/A N/A N/A no null null null
dicom:104 N/A N/A N/A N/A N/A N/A no null null null
pop3:110 N/A N/A N/A N/A N/A N/A no null null null
imap:143 N/A N/A N/A N/A N/A N/A no null null null
netbios-ssn:445 N/A N/A N/A N/A N/A N/A no null null null
smb:445 N/A N/A N/A N/A N/A N/A no null null null
smb2:445 N/A N/A N/A N/A N/A N/A no null null null
smb:139 N/A N/A N/A N/A N/A N/A no null null null
https:443 N/A N/A N/A N/A N/A N/A yes null null null
owa:443 N/A N/A N/A N/A N/A N/A yes null null null
wordpress-tls:443 N/A N/A N/A N/A N/A N/A yes null null null
wp-tls:443 N/A N/A N/A N/A N/A N/A yes null null null
sip:5060 N/A N/A N/A N/A N/A N/A no null null null
pop3s:995 N/A N/A N/A N/A N/A N/A yes null null null
mssql:1433 N/A N/A N/A N/A N/A N/A no null MyDatabase DOMAIN
mqtt:1883 N/A N/A N/A N/A N/A N/A no null null null
mysql:3306 N/A N/A N/A N/A N/A N/A no null null null
ms-wbt-server:3389 N/A N/A N/A N/A N/A N/A no null null null
rdp:3389 N/A N/A N/A N/A N/A N/A no null null null
psql:5432 N/A N/A N/A N/A N/A N/A no null null null
vnc:5801 N/A N/A N/A N/A N/A N/A no null null null
vnc:5900 N/A N/A N/A N/A N/A N/A no null null null
vnc:5901 N/A N/A N/A N/A N/A N/A no null null null
vnc:6001 N/A N/A N/A N/A N/A N/A no null null null
redis:6379 N/A N/A N/A N/A N/A N/A no null null null
winrm:5985 N/A N/A N/A N/A N/A N/A no null null Workstation
winrm:5986 N/A N/A N/A N/A N/A N/A no null null Workstation
cassandra:9160 N/A N/A N/A N/A N/A N/A no null null null
cassandra:9042 N/A N/A N/A N/A N/A N/A no null null null
mongodb:27017 N/A N/A N/A N/A N/A N/A no null admin null
cvs:2401 N/A N/A N/A N/A N/A N/A no null null null
----- [ Targets ] -----
Host: 10.10.10.51
mssql:51111 cl=7, CL=80, at=0, cd=0, cr=30, to=0ms, ssl=no, path=/, db=MyDatabase, domain=DOMAIN
Ncrack done: 1 service would be scanned.
Probes sent: 0 | timed-out: 0 | prematurely-closed: 0
Ncrack finished.
But for some reason it fails. By ratcheting the debug level way up, I can see that the login is failing (and does likewise no matter what form of the command above I use):
Starting Ncrack 0.7 ( http://ncrack.org ) at 2022-03-10 20:54 UTC
mssql://10.10.10.51:7777 (EID 1) Initiating new Connection
mssql://10.10.10.51:7777 pushed to list FULL
mssql://10.10.10.51:7777 (EID 1) Login failed: 'myusername' 'mypassword'
mssql://10.10.10.51:7777 (EID 1) Connection closed by peer
mssql://10.10.10.51:7777 popped from list FULL
mssql://10.10.10.51:7777 (EID 1) Attempts: total 1 completed 1 supported 1 --- rate 6.28
mssql://10.10.10.51:7777 Password list finished!
mssql://10.10.10.51:7777 pushed to list FINISHED
mssql://10.10.10.51:7777 finished.
nsock_loop returned 3
Ncrack done: 1 service scanned in 3.00 seconds.
Probes sent: 1 | timed-out: 0 | prematurely-closed: 0
Ncrack finished.
Here are my system particulars:
- OS:
└─$ cat /etc/os-release
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
ID=kali
VERSION="2021.4"
VERSION_ID="2021.4"
VERSION_CODENAME="kali-rolling"
ID_LIKE=Debbie
- Ncrack version:
Starting Ncrack 0.7 ( http://ncrack.org )
- MS SQL SERVER:
Microsoft SQL Server 2014, 12.0.6433.1 (X64)
Any help getting this to work would be greatly appreciated...thanks!
