[MSSQL] Improvement

[XiaoliChan]

Change log:

• No more SMB needed (also remove --no-smb)
• Enhance the error message
• Fix no-output in command execution
• Improve the logic in mssqlexec.py
• Add --mssql-timeout
• Fix --use-kcache

References:

• https://github.com/nopfor/ntlm_challenger

Screenshot:

[XiaoliChan]

CCache fix:

• Before (it will use host IP address in kerberos authentication, not hostname)
  

• After
  

More screenshot

[XiaoliChan]

Confirm this PR can do review now

[mpgn]

Got one error @XiaoliChan

[XiaoliChan]

Got one error @XiaoliChan

I will test it later

[XiaoliChan]

@mpgn Please test again, the bug should be fixed

[mpgn]

The nanodump is fixed 🎉

I have an error with kerberos, can you check if you have the same ? maybe my lab is broken

[XiaoliChan]

I have an error with kerberos, can you check if you have the same ? maybe my lab is broken

I can confirm it work in my side

[XiaoliChan]

@mpgn I have made a PR #191 to improve the parse_challenge function, this PR only works after that PR is merged

[XiaoliChan]

@mpgn Please test again after #191 is merged

[mpgn]

• For the timeout, use 60 seconds by default, 2 seconds is way to short i'm hitting timeout every two requests
• The logic you implemented on the login function is really strange and the code is repeted twice if there is a wrong login. I would prefer this version as this is also how it's done on all other protocols

        try:
            res = self.conn.login(None, username, password, domain, None, not self.args.local_auth)
            if res is not True:
                raise
            self.check_if_admin()
            out = f"{self.domain}\\{self.username}:{process_secret(self.password)} {self.mark_pwned()}"
            self.logger.success(out)
            if not self.args.local_auth:
                add_user_bh(self.username, self.domain, self.logger, self.config)
            if self.admin_privs:
                add_user_bh(f"{self.hostname}$", self.domain, self.logger, self.config)
            return True
        except BrokenPipeError:
            self.logger.fail("Broken Pipe Error while attempting to login")
            return False
        except Exception as e:
            error_msg = self.handle_mssql_reply()
            self.logger.fail("{}\\{}:{} {}".format( self.domain, self.username, process_secret(self.password), error_msg if error_msg else ""))
            return False

[XiaoliChan]

• For the timeout, use 60 seconds by default, 2 seconds is way to short i'm hitting timeout every two requests

Maybe 5s is better?

[XiaoliChan]

• The logic you implemented on the login function is really strange and the code is repeted twice if there is a wrong login. I would prefer this version as this is also how it's done on all other protocols

        try:
            res = self.conn.login(None, username, password, domain, None, not self.args.local_auth)
            if res is not True:
                raise
            self.check_if_admin()
            out = f"{self.domain}\\{self.username}:{process_secret(self.password)} {self.mark_pwned()}"
            self.logger.success(out)
            if not self.args.local_auth:
                add_user_bh(self.username, self.domain, self.logger, self.config)
            if self.admin_privs:
                add_user_bh(f"{self.hostname}$", self.domain, self.logger, self.config)
            return True
        except BrokenPipeError:
            self.logger.fail("Broken Pipe Error while attempting to login")
            return False
        except Exception as e:
            error_msg = self.handle_mssql_reply()
            self.logger.fail("{}\\{}:{} {}".format( self.domain, self.username, process_secret(self.password), error_msg if error_msg else ""))
            return False

Yes, I just forgot it did raise and jump into the exception

[mpgn]

All good for me, everything works on my lab, great improvement 🎉