Listen to this Post

Introduction:
For years, penetration testers and red teamers have exploited NTLM relay attacks, but a significant limitation existed: while relaying from SMB to MSSQL was possible, the reverse was not. This changed with the introduction of a new MSSQL Relay server in the iconic Impacket library. This article breaks down this new capability, its implications for internal network security, and provides a hands-on guide to leveraging it.
Learning Objectives:
- Understand the fundamental mechanics of NTLM relay attacks and the historical SMB-to-MSSQL limitation.
- Learn how to configure and execute an MSSQL-to-SMB relay attack using the new Impacket module.
- Identify defensive strategies and mitigations to protect against this new attack vector.
You Should Know:
- The Core Concept: Why MSSQL-to-SMB Relay Was a Missing Piece
NTLM relay attacks work by intercepting a client’s authentication attempt and “relaying” those credentials to a different service, effectively tricking the target service into believing the attacker is the legitimate user. The Impacket library’s `ntlmrelayx.py` tool has long been the go-to utility for these attacks. Historically, it could relay an SMB authentication attempt to an MSSQL service, potentially allowing an attacker to execute SQL commands. However, if an MSSQL client initiated authentication to a malicious server, there was no way to relay that authentication to another STLM service, like a file share on an SMB server. This new module fills that gap, creating a bidirectional relay threat and expanding the attack surface significantly.
- Setting Up Your Lab Environment for MSSQL Relay Testing
Before launching an attack, you need a controlled environment. You will require at least three machines: an attacker machine (Kali Linux), a compromised machine running an MSSQL client, and a target machine with SMB signing not required (a common default setting).
On the Attacker Machine (Kali):
First, ensure you have the latest Impacket version. The new MSSQL server is in the development branch.
git clone https://github.com/fortra/impacket.git cd impacket pip install .
Identify Potential Targets: Use tools like `crackmapexec` to find SMB servers that do not require signing, making them viable relay targets.
crackmapexec smb 192.168.1.0/24 --gen-relay-list targets.txt
This command will generate a list of potential SMB relay targets in the file targets.txt.
3. Launching the MSSQL Relay Server with ntlmrelayx.py
The core of the attack is the `ntlmrelayx.py` script, now with the built-in MSSQL server. The goal is to wait for an MSSQL client to connect, capture its NTLM authentication, and relay it to a target SMB share.
Basic Command:
python ntlmrelayx.py -t smb://192.168.1.10 -smb2support --mssql-server
-t smb://192.168.1.10: This is your target SMB server.
`–smb2support`: Enables support for the SMB2 protocol.
--mssql-server: This is the new flag that tells `ntlmrelayx` to start the MSSQL relay server on the default port 1433.
Upon execution, the tool will set up the SMB, HTTP, and now MSSQL servers, waiting for connections.
4. Triggering the MSSQL Client Authentication
For the attack to succeed, you need an MSSQL client to authenticate to your malicious relay server. This can be achieved through several methods, with the most common being a phishing email containing a malicious link to your attacker IP (e.g., sqlserver://attacker_ip), or by exploiting misconfigured applications or scheduled tasks that connect to a database server you control. Once the client connects and attempts to authenticate, `ntlmrelayx` will capture the NTLM exchange and relay it to the target SMB server (192.168.1.10 in our example).
5. Exploiting Successful Relay for Lateral Movement
A successful relay to an SMB server can lead to significant compromise. The default action of `ntlmrelayx` is to dump the SAM database, revealing local user hashes. However, you can specify more advanced attacks.
Example: Executing a Command on the Target
python ntlmrelayx.py -t smb://192.168.1.10 -smb2support --mssql-server -c "whoami"
The `-c` option executes a system command on the target. In a real-world scenario, this could be used to establish a reverse shell, disable security software, or add a user account.
Example: Dumping Hashes from the Domain Controller
If the relayed credentials have domain admin privileges and the target is a Domain Controller, you can use the `-c` option with a secret-dumping tool.
python ntlmrelayx.py -t smb://DC01.company.com -smb2support --mssql-server -c "secretsdump.py -just-dc COMPANY/[email protected]"
6. Key Mitigations and Defensive Strategies
This new attack vector underscores the critical need for robust NTLM relay mitigations.
Enable SMB Signing: This is the most effective mitigation. SMB signing ensures the communication integrity. Configure Group Policy to require SMB signing on all servers. This will completely block SMB relay attacks.
GPO Path: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Microsoft network server: Digitally sign communications (always).
Enable Extended Protection for Authentication (EPA) on MSSQL: EPA, which leverages Channel Binding Tokens, prevents credential relay by binding the authentication to a specific secure channel (TLS).
Implement Segmention and Firewalls: Restrict unnecessary network traffic. MSSQL clients should not be able to arbitrarily connect to any machine on the network on port 1433.
Migrate to Kerberos: Wherever possible, disable NTLM authentication entirely and rely on the more secure Kerberos protocol.
Apply the Latest Patches: Ensure all systems are updated, as some specific vulnerabilities can facilitate initial compromise.
7. Advanced Attack Scenario: Chaining with Other Techniques
The true power of this module is revealed when chained with other initial access techniques. For instance, an attacker who has compromised a single workstation could use the MSSQL relay server in conjunction with an LLMNR/NBT-NS poisoner like Responder.
Step-by-Step:
- On the attacker machine, run `Responder` to poison name resolution and capture hashes, but disable its HTTP and SMB servers to allow `ntlmrelayx` to handle the relay.
python Responder.py -I eth0 -dw
- In a separate terminal, launch `ntlmrelayx.py` as shown above.
- When a user on the network mistypes a share name (e.g., `\\fleshare` instead of
\\fileshare), `Responder` will poison the request, directing the client’s MSSQL-based application (if it’s trying to connect to a database) to your attacker machine. The MSSQL relay server will then capture this and relay it to a privileged SMB target.
What Undercode Say:
- The development of an MSSQL relay server fundamentally expands the NTLM attack toolkit, turning a previously one-way street into a dangerous two-way road.
- Defensive postures that were once “good enough” are now insufficient; mandating SMB signing is no longer a best practice but a critical necessity.
Analysis: The integration of an MSSQL relay server into Impacket is not just a new feature; it’s a paradigm shift for internal network penetration testing. It forces a re-evaluation of asset criticality. Any service or application that acts as an MSSQL client is now a potential entry point for lateral movement. This development will almost certainly be integrated into automated attack frameworks, lowering the barrier for entry for less experienced attackers. The focus for blue teams must shift from merely protecting servers to comprehensively understanding and securing client-side service interactions across the entire estate. The era of assuming NTLM relay is only a problem for SMB servers is over.
Prediction:
In the next 12-18 months, we predict a noticeable rise in real-world incidents and penetration test reports citing MSSQL-to-SMB relay as a primary method for lateral movement. This will lead to a renewed and urgent push by enterprises to enforce SMB signing mandates and accelerate the deprecation of NTLMv1, with a longer-term goal of completely disabling NTLM in favor of Kerberos. Furthermore, cloud and container environments that leverage Windows-based microservices with MSSQL backends will become new, high-value targets for this technique, expanding the attack surface beyond traditional corporate networks.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Potseluevskaya If – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


