No connection to MSSQL Server with valid creds

[reybango]

Describe the bug
When trying to test connection to MS SQL Server using credentials, NetExec returns nothing. The credentials are valid and establish a SQLi session using mssqlclient.py. Adding the --local-auth flag has no effect.

Taking it further and trying to do a rid brute also returned no data.

To Reproduce
Steps to reproduce the behavior i.e.:
Commands:
netexec mssql ip -u username -p password
netexec mssql ip -u username -p password --rid-brute --local-auth

Resulted in:

Returned no data.

Expected behavior
This should've shown a valid connection. For the rid brute, it should've return a list of user names.

NetExec info

• OS: Kali 6.18.5+kali-amd64
• Version of nxc: 1.5.0 - Yippie-Ki-Yay - Kali Linux -
• Installed from: part of the OS

Additional context
Kali is updated and current as of day of this report. Rid brute from Metasploit using admin/mssql/mssql_enum_domain_accounts module works.

[reybango]

To test this, go to Hack the Box and test on the box called Eighteen. The box provides starter creds that should allow you to connect.

[NeffIsBack]

Hi and thanks for the report.

Not even the host banner is shown? Could that be a timeout issue? What happens if you increase the timeout?

[reybango]

@NeffIsBack unfortunately no effect. The credentials provided below are part of the HTB lab machine assumed breach experience so there's no issues including them as they're openly published.

netexec mssql 10.129.47.34 -u kevin -p 'iNa2we6haRj2gaw!' --timeout 10 --verbose
[10:51:39] INFO     Socket info: host=10.129.47.34, hostname=10.129.47.34, kerberos=False, ipv6=False, link-local ipv6=False                         connection.py:174
           INFO     Failed to create connection object for target 10.129.47.34, exiting...                                                           connection.py:241

netexec mssql 10.129.47.34 -u kevin -p 'iNa2we6haRj2gaw!' --timeout 10 --verbose --local-auth
[10:52:08] INFO     Socket info: host=10.129.47.34, hostname=10.129.47.34, kerberos=False, ipv6=False, link-local ipv6=False                         connection.py:174
           INFO     Failed to create connection object for target 10.129.47.34, exiting...                                                           connection.py:241

Again, I can connect with those creds using mssqlclient.py. If you have a HTB account, you should be able to spin up that machine to see it in action.

[NeffIsBack]

On what port is that mssql instance running?
Can you also share the debug log?

[reybango]

Port 1433

Debug log for netexec mssql 10.129.47.34 -u kevin -p 'iNa2we6haRj2gaw!' --timeout 10 --debug

[11:02:45] DEBUG    NXC VERSION: 1.5.0 - Yippie-Ki-Yay - Kali Linux -                                                                                    netexec.py:82
           DEBUG    PYTHON VERSION: 3.13.11 (main, Dec  8 2025, 11:43:54) [GCC 15.2.0]                                                                   netexec.py:83
           DEBUG    RUNNING ON: Linux Release: 6.18.5+kali-amd64                                                                                         netexec.py:84
           DEBUG    Passed args: Namespace(version=False, threads=256, timeout=10, jitter=None, no_progress=False, log=None, verbose=False, debug=True,  netexec.py:85
                    force_ipv6=False, dns_server=None, dns_tcp=False, dns_timeout=3, protocol='mssql', target=['10.129.47.34'], username=['kevin'],                   
                    password=['iNa2we6haRj2gaw!'], cred_id=[], ignore_pw_decoding=False, no_bruteforce=False, continue_on_success=False,                              
                    gfail_limit=None, ufail_limit=None, fail_limit=None, kerberos=False, use_kcache=False, aesKey=None, kdcHost=None, pfx_cert=None,                  
                    pfx_base64=None, pfx_pass=None, pem_cert=None, pem_key=None, module=None, module_options=[], list_modules=None,                                   
                    show_module_options=False, hash=[], port=1433, mssql_timeout=5, query=None, database=None, domain=None, local_auth=False, sam=False,              
                    lsa=False, no_output=False, execute=None, ps_execute=None, force_ps32=False, obfs=False, amsi_bypass=None, clear_obfscripts=False,                
                    no_encode=False, put_file=None, get_file=None, rid_brute=None)                                                                                    
           DEBUG    Protocol: mssql                                                                                                                     netexec.py:141
           DEBUG    Protocol Path: /usr/lib/python3/dist-packages/nxc/protocols/mssql.py                                                                netexec.py:144
           DEBUG    Protocol DB Path: /usr/lib/python3/dist-packages/nxc/protocols/mssql/database.py                                                    netexec.py:146
           DEBUG    symmetric using "pyCryptodomex" for "DES"                                                                                           __init__.py:55
           DEBUG    symmetric using "pyCryptodomex" for "TDES"                                                                                          __init__.py:55
           DEBUG    symmetric using "pyCryptodomex" for "AES"                                                                                           __init__.py:55
           DEBUG    symmetric using "pyCryptodomex" for "RC4"                                                                                           __init__.py:55
           DEBUG    Protocol Object: <class 'protocol.mssql'>, type: <class 'type'>                                                                     netexec.py:149
           DEBUG    Protocol DB Object: <class 'protocol.database'>                                                                                     netexec.py:151
           DEBUG    DB Path: /home/haribo/.nxc/workspaces/default/mssql.db                                                                              netexec.py:154
           DEBUG    Creating ThreadPoolExecutor                                                                                                          netexec.py:45
           DEBUG    Creating thread for <class 'protocol.mssql'>                                                                                         netexec.py:48
           INFO     Socket info: host=10.129.47.34, hostname=10.129.47.34, kerberos=False, ipv6=False, link-local ipv6=False                         connection.py:174
           DEBUG    Kicking off proto_flow                                                                                                           connection.py:238
           DEBUG    Error connecting to MSSQL service on host: 10.129.47.34, reason: MSSQL.connect() takes 1 positional argument but 2 were given          mssql.py:64
           INFO     Failed to create connection object for target 10.129.47.34, exiting...                                                           connection.py:241
           DEBUG    Closing connection to: 10.129.47.34                                                                                              connection.py:189 ```

[NeffIsBack]

That is very weird. At first glance it looks like an issue with the impacket installation. Could you try to install it with pipx (see the wiki) and check if the issue persists?

[reybango]

@NeffIsBack install Impacket with pipx or nxc? Happy to help.

[NeffIsBack]

@NeffIsBack install Impacket with pipx or nxc? Happy to help.

Just NetExec, looks to me like impacket is heavily out of date.

[reybango]

@NeffIsBack Impacket is current at v0.13.0.dev0+20250314.172046.8b4566b1 according to their repo. I build directly from their repo unless nxc is pulling from another part of Kali.

I'll install nxc from pipx now.

[NeffIsBack]

Yeah found the issue. When requesting the NetExec upgrade for kali I gave them an impacket commit that was too old and there fore something critical is missing in the MSSQL protocol. Gonna message the kali team to update their impacket version so this is fixed.

[reybango]

@NeffIsBack ah cool. Glad you found it. And I confirm that installing from pipx works. I can connect to mssql and --rid-brute works.

[NeffIsBack]

@NeffIsBack ah cool. Glad you found it. And I confirm that installing from pipx works. I can connect to mssql and --rid-brute works.

Great👍 I have pinged the kali team to update their impacket version to at least the fixed commit. Until it is updated I fear the MSSQL protocol on kali remains broken.

[NeffIsBack]

Cross ref the issue on the kali bugtracker: https://bugs.kali.org/view.php?id=9468