MSSQL

Dementor includes a simplified MSSQL server that supports NTLM authentication. However, not all MSSQL clients can be used to capture credentials. If the client requires encryption (TLS), the current implementation will terminate the connection.

Note

Dementor will show a hint that encryption was requested from the client:

LLMNR  192.168.56.116  5355   [+] Sent poisoned answer to 192.168.56.116
MDNS   192.168.56.116  5353   [+] Sent poisoned answer to 192.168.56.116
LLMNR  192.168.56.116  5355   [+] Sent poisoned answer to 192.168.56.116
MSSQL  192.168.56.116  1433   [*] Pre-Login request for (blank) (Encryption requested)

Section [MSSQL]

Added in version 1.0.0.dev4.

MSSQL.Port: int = 1433

Maps to mssql.MSSQLConfig.mssql_port

Specifies the port the MSSQL server listens on.

MSSQL.Version: str = "9.00.1399.06"

Maps to mssql.MSSQLConfig.mssql_server_version

Sets the server version string returned to clients.

MSSQL.InstanceName: str = "MSSQLServer"

Maps to mssql.MSSQLConfig.mssql_instance

Specifies the MSSQL instance name returned in SSRP responses. This can be overridden via SSRP.InstanceName.

MSSQL.ExtendedSessionSecurity: bool = true

Maps to mssql.MSSQLConfig.ntlm_ess

Changed in version 1.0.0.dev5: Internal mapping changed frmo mssql_ess to ntlm_ess

Enables NTLM Extended Session Security (ESS). When enabled, NTLMv1/NTLMv2-SSP hashes are captured instead of raw NTLM hashes. Resolution precedence:

  1. MSSQL.ExtendedSessionSecurity

  2. NTLM.ExtendedSessionSecurity (fallback)

MSSQL.Challenge: str = NTLM.Challenge

Maps to mssql.MSSQLServerConfig.ntlm_challenge

Changed in version 1.0.0.dev5: Internal mapping changed frmo mssql_challenge to ntlm_challenge

Sets the NTLM challenge value. Resolution order:

  1. MSSQL.Challenge

  2. NTLM.Challenge

MSSQL.FQDN: str = "DEMENTOR"

Maps to mssql.MSSQLServerConfig.mssql_fqdn. May also be set in [Globals]

Sets the Fully Qualified Domain Name (FQDN) returned by the server. The hostname portion is used in NTLM responses; the domain portion is optional.

Error Configuration

MSSQL.ErrorCode: int = 1205

Maps to mssql.MSSQLConfig.mssql_error_code

Sets the MS-SQL-Server error code to return to clients.

MSSQL.ErrorState: int = 1

Maps to mssql.MSSQLConfig.mssql_error_state

Sets the error state value returned to clients.

MSSQL.ErrorClass: int = 1205

Maps to mssql.MSSQLConfig.mssql_error_class

Sets the error class value returned to clients.

MSSQL.ErrorMessage: str

Maps to mssql.MSSQLConfig.mssql_error_msg

Sets the error message value returned to clients.

Section [SSRP]

Added in version 1.0.0.dev4.

SSRP.InstanceConfig: str = ""

Maps to mssql.SSRPConfig.ssrp_instance_config

Defines extra instance configuration values for SSRP responses. The format must follow the RESP_DATA structure from section 2.2.5 SVR_RESP. The string must begin with a semicolon and MUST NOT end with one. For example:

InstanceConfig = ";rpc;DEMENTOR"

would be valid.

Inherited from [MSSQL]

SSRP.FQDN: str = MSSQL.FQDN

Maps to mssql.SSRPConfig.ssrp_server_name. May also be set in [Globals]

Defines the server name as described in MSSQL.FQDN.

SSRP.Version: str = MSSQL.Version

Maps to mssql.SSRPConfig.ssrp_server_version. May also be set in [MSSQL]

Defines the server version string as described in MSSQL.Version.

SSRP.InstanceName: str = MSSQL.InstanceName

Maps to mssql.SSRPConfig.ssrp_server_instance. May also be set in [MSSQL]

Sets the server instance name, as described in MSSQL.InstanceName.

Default Configuration

MSSQL and SSRP configuration section (default values)
1[MSSQL]
2ErrorCode = 1205
3Version = "9.00.1399.06"
4InstanceName = "MSSQLServer"
5
6[SSRP]
7# empty by default