added channel binding to MSSQL module

garrettfoster13 · Feb 28, 2025 · b779fe0 · b779fe0
1 parent 10e2b4b
commit b779fe0
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/lib/attacks/mssql.py b/lib/attacks/mssql.py
@@ -18,7 +18,7 @@ class MSSQL:
 
     def __init__(self, username=None, password=None, domain=None, target_dom=None, 
                         dc_ip=None,ldaps=False, kerberos=False, no_pass=False, hashes=None, 
-                        aes=None, debug=False, target_user=None, stacked=False, site_code=None):
+                        aes=None, debug=False, target_user=None, stacked=False, channel_binding=False, site_code=None):
             self.username = username
             self.password = password
             self.domain = domain
@@ -32,6 +32,7 @@ def __init__(self, username=None, password=None, domain=None, target_dom=None,
             self.debug = debug
             self.target_user = target_user
             self.stacked = stacked
+            self.channel_binding = channel_binding
             self.site_code = site_code
             self.netbiosname = ""
             self.query_sid = ""
@@ -55,7 +56,7 @@ def run(self):
         try:
             ldap_server, self.ldap_session = init_ldap_session(domain=self.domain, username=self.username, password=self.password,
                                                            lmhash=lmhash, nthash=nthash, kerberos=self.kerberos, domain_controller=self.dc_ip, 
-                                                           aesKey=self.aes, hashes=self.hashes, ldaps=self.ldaps)
+                                                           aesKey=self.aes, hashes=self.hashes, ldaps=self.ldaps, channel_binding=self.channel_binding)
             logger.debug(f'[+] Bind successful {ldap_server}')
 
         except ldap3.core.exceptions.LDAPSocketOpenError as e: 

diff --git a/lib/commands/mssql.py b/lib/commands/mssql.py
@@ -21,12 +21,13 @@ def main(
     debug           : bool  = typer.Option(False, '-debug',help='Enable Verbose Logging'),
     target_user     : str   = typer.Option(..., '-tu', help="Controlled user to grant permissions to."),
     stacked         : bool  = typer.Option(False, '-stacked', help="Provide a single stacked query for relaying."),
+    channel_binding : bool   = typer.Option(None, '-binding', help='Use LDAP channel binding'),
     site_code       : str   = typer.Option(..., '-sc', help="Target site code to add user to.")):
 
 
     mssqlhunter = MSSQL(username=username, password=password, domain=domain, dc_ip=dc_ip,ldaps=ldaps,
                             kerberos=kerberos, no_pass=no_pass, hashes=hashes, aes=aes, debug=debug, 
-                            target_user=target_user, stacked=stacked, site_code=site_code)
+                            target_user=target_user, stacked=stacked, site_code=site_code, channel_binding=channel_binding)
     init_logger(debug)
     mssqlhunter.run()