[ WIP ] Add mssqlclient.py capabilities for named pipe only instances#2202
[ WIP ] Add mssqlclient.py capabilities for named pipe only instances#2202Dfte wants to merge 7 commits into
Conversation
|
Youhouuuuu On left, mssql 2025 force_encryption = on (192.168.56.70) / on right, mssql 2022 force_encryption = off (192.168.56.72) At the moment the script supports cleartext/ force_encryption (which requires tls inside a named pipe inside SMB rofl). Note that force_strict_encrytpion doesn't work on named pipe exposed instances because you can't build a tls socket directly to a named pipe. @gabrielg5 @anadrianmanrique how do you see me integrating that ? The poc imports both mssl from tds.py, smbconnection from smb3. So I'd implement all of that inside mssqlclient.py directly ? Or should I build another impacket/impacket/tds_named_pipes.py librabry just for that use case ? Also I forgot to mention that having that capability would allow futur users to relay SMB -> SMB and connect to that named pipe and thus communicate to a SQL database exposed via a named pipe. I can either import tds_named_pipe.py and: if options.named_pipe:
ms_sql = MSSQLNamedPipe(
options.target_ip,
pipe_name=NamedPipeTransport.MSSQL_PIPE,
remoteName=remoteName,
workstation_id=options.host_name,
application_name=options.app_name,
client_interface_name=options.client_interface_name
)
print(f"[*] Using Named Pipe \\\\{options.target_ip}\\pipe\\sql\\query")
else:
ms_sql = tds.MSSQL(
options.target_ip,
int(options.port),
remoteName,
workstation_id=options.host_name,
application_name=options.app_name,
client_interface_name=options.client_interface_name
)
ms_sql.connect()Add all the required code inside the mssqlclient.py from tds_np.py so that we have a single client with a single tds.py library. Or even integrate the SMB communication inside TDS.py also |
|
Hey @Dfte hello!! sorry commenting here after a couple days I think best path moving forward is keeping all that protocol logic centralized in |
|
@gabrielg5 alright! Thanks for the review I'll implement that asap :)!! |


Ayo, here is a work in progress PR on the mssqlclient.py client in order to support MSSQL databases relying on named pipe only. So far the tool is able to connect to databases that do not enforce encryption nor strict encryption:
I don't really know how correctly implement the technique considering it relies on SMB that encapsulates TDS hence the WIP tag. If you have got any recomendation, let me know!