Pennyw0rth · Dfte · Dec 24, 2025 · Dec 24, 2025 · Dec 24, 2025 · Dec 24, 2025
@@ -0,0 +1,49 @@
+from impacket import tds
+from nxc.helpers.misc import CATEGORY
+
+
+# Module writtent by @Defte_
+class NXCModule:
+    name = "mssql_cbt"
+    description = "Checks whether Channel Binding is enabled on the MSSQL database"
+    supported_protocols = ["mssql"]
+    category = CATEGORY.ENUMERATION
+
+    def options(self, context, module_options):
+        self.logger = context.log
+
+    def on_login(self, context, connection):
+
+        if not connection.encryption:
+            self.logger.highlight("TLS not required: Channel Binding Token NOT REQUIRED")
+            return
+
+        if connection.args.local_auth:
+            self.logger.highlight("Local auth: CANNOT check Channel Binding Token configuration")
+            return
+
+        ntlm_hash = f":{connection.nthash}" if connection.nthash else None
+
+        new_conn = tds.MSSQL(connection.host, connection.port, connection.conn.remoteName)
+        new_conn.connect(connection.args.mssql_timeout)
+
+        if connection.kerberos:
+            success = new_conn.kerberosLogin(
+                None, connection.username, connection.password, connection.targetDomain,
+                ntlm_hash, connection.aesKey, connection.kdcHost,
+                None, None, connection.use_kcache,
+                cbt_fake_value=b""
+            )
+        else:
+            success = new_conn.login(
+                None, connection.username, connection.password, connection.targetDomain,
+                ntlm_hash, not connection.args.local_auth,
+                cbt_fake_value=b""
+            )
+
+        self.logger.highlight(
+            "Connection successful: Channel Binding Token NOT REQUIRED"
+            if success else
+            "Connection failed: Channel Binding Token REQUIRED"
+        )
+        new_conn.disconnect()
@@ -284,6 +284,7 @@ netexec mssql TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M mssql_
 netexec mssql TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M nanodump
 netexec mssql TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M test_connection -o HOST=localhost
 netexec mssql TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M web_delivery -o URL=localhost/dl_cradle
+netexec mssql TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M mssql_cbt
 ##### RDP
 netexec rdp TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS # need an extra space after this command due to regex
 netexec {DNS} rdp TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS
@@ -317,4 +318,4 @@ netexec ftp TARGET_HOST -u TEST_USER_FILE -p TEST_PASSWORD_FILE
 netexec nfs TARGET_HOST -u "" -p "" --shares
 netexec nfs TARGET_HOST -u "" -p "" --enum-shares
 netexec nfs TARGET_HOST -u "" -p "" --get-file /NFStest/test/test.txt ../test.txt
-netexec nfs TARGET_HOST -u "" -p "" --put-file ../test.txt /NFStest/test
+netexec nfs TARGET_HOST -u "" -p "" --put-file ../test.txt /NFStest/test