Skip to content

[ WIP ] Add mssqlclient.py capabilities for named pipe only instances#2202

Open
Dfte wants to merge 7 commits into
fortra:masterfrom
Dfte:tds_np
Open

[ WIP ] Add mssqlclient.py capabilities for named pipe only instances#2202
Dfte wants to merge 7 commits into
fortra:masterfrom
Dfte:tds_np

Conversation

@Dfte

@Dfte Dfte commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Ayo, here is a work in progress PR on the mssqlclient.py client in order to support MSSQL databases relying on named pipe only. So far the tool is able to connect to databases that do not enforce encryption nor strict encryption:

image

I don't really know how correctly implement the technique considering it relies on SMB that encapsulates TDS hence the WIP tag. If you have got any recomendation, let me know!

Aurélien CHALOT added 2 commits June 6, 2026 14:07
@Dfte Dfte marked this pull request as draft June 8, 2026 09:28
@Dfte

Dfte commented Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

Youhouuuuu

On left, mssql 2025 force_encryption = on (192.168.56.70) / on right, mssql 2022 force_encryption = off (192.168.56.72)
image

Output:
image

At the moment the script supports cleartext/ force_encryption (which requires tls inside a named pipe inside SMB rofl). Note that force_strict_encrytpion doesn't work on named pipe exposed instances because you can't build a tls socket directly to a named pipe.

@gabrielg5 @anadrianmanrique how do you see me integrating that ? The poc imports both mssl from tds.py, smbconnection from smb3. So I'd implement all of that inside mssqlclient.py directly ? Or should I build another impacket/impacket/tds_named_pipes.py librabry just for that use case ?

Also I forgot to mention that having that capability would allow futur users to relay SMB -> SMB and connect to that named pipe and thus communicate to a SQL database exposed via a named pipe.

I can either import tds_named_pipe.py and:

 if options.named_pipe:

        ms_sql = MSSQLNamedPipe(
            options.target_ip,
            pipe_name=NamedPipeTransport.MSSQL_PIPE,
            remoteName=remoteName,
            workstation_id=options.host_name,
            application_name=options.app_name,
            client_interface_name=options.client_interface_name
        )

        print(f"[*] Using Named Pipe \\\\{options.target_ip}\\pipe\\sql\\query")

    else:

        ms_sql = tds.MSSQL(
            options.target_ip,
            int(options.port),
            remoteName,
            workstation_id=options.host_name,
            application_name=options.app_name,
            client_interface_name=options.client_interface_name
        )

        ms_sql.connect()

Add all the required code inside the mssqlclient.py from tds_np.py so that we have a single client with a single tds.py library. Or even integrate the SMB communication inside TDS.py also

@Dfte Dfte marked this pull request as ready for review June 8, 2026 17:26
@anadrianmanrique anadrianmanrique added the in review This issue or pull request is being analyzed label Jun 11, 2026
@gabrielg5

Copy link
Copy Markdown
Collaborator

Hey @Dfte hello!! sorry commenting here after a couple days
This will be a great addition to the library!!

I think best path moving forward is keeping all that protocol logic centralized in impacket.tds.MSSQL (login, kerberoslogin, PRELOGIN, TLS handling, query execution, parsing, ..)
The library will gain the ability to send/receive TDS over an SMB named-pipe instead of a TCP socket, while reusing the existing MSSQL code path.
mssqlclient and other examples should have a new option to select named-pipe transport instead than current tcp socket

@Dfte

Dfte commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

@gabrielg5 alright! Thanks for the review I'll implement that asap :)!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

in review This issue or pull request is being analyzed

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants