Skip to content

Custom fake CBT flag for MSSQLClient via TDS.py#2098

Open
Dfte wants to merge 2 commits intofortra:masterfrom
Dfte:master
Open

Custom fake CBT flag for MSSQLClient via TDS.py#2098
Dfte wants to merge 2 commits intofortra:masterfrom
Dfte:master

Conversation

@Dfte
Copy link
Contributor

@Dfte Dfte commented Dec 23, 2025

Heyo team!

This PR adds a custom fake_cbt_value that we can use to detect whether CBT is required or not on a MSSQL database.

This will be used for an upcoming module (mssql_cbt) on nxc:

  • With CBT required:
image
  • With CBT not required:
image

The variable is added to the login and kerberosLogin function and automatically set to None so that it doesn't change the entire toolkit built over tds.py

Let me know if you want a custom option for mssqlshell :)

See ya!

@Dfte Dfte mentioned this pull request Dec 24, 2025
Open
@anadrianmanrique anadrianmanrique added the in review This issue or pull request is being analyzed label Jan 8, 2026
@Dfte
Copy link
Contributor Author

Dfte commented Mar 9, 2026

Hey @anadrianmanrique, any news on this one ? :P

@anadrianmanrique
Copy link
Collaborator

anadrianmanrique commented Mar 10, 2026

@Dfte hey there. This was not assigned to anyone. I think that's why it's been out of the radar.
I think the discussion we had was that, it would be good to have a way to test this in the same way we did with #1977 . Could this be integrated into CheckLDAStatus? but changing the script's name? does make sense to have a CheckMSSQLStatus.py? I'm not super happy with any of those. You might have a better ideas than me

@anadrianmanrique anadrianmanrique self-assigned this Mar 10, 2026
@Dfte
Copy link
Contributor Author

Dfte commented Mar 10, 2026

Hey! No problem :)!!
I'm not against developing the check script, this is easy :)!

That said, I believe we'll have to factorize CBT computation codes because for the moment we have implemented the following techniques:

  • tls-server-end-point for LDAPS
  • tls-unique for MSSQL

(and we'll have to write the tls-exporter one at some point)

These could be reused in others protocols so may be we'll have to create a ChannelBindingComputation.py code with all these functions at some point.

@anadrianmanrique
Copy link
Collaborator

anadrianmanrique commented Mar 13, 2026

ok, I think the best would be to implement for now CheckMSSQLStatus.py to test channel binding support. It could be added also information regarding #2122 later. After that we should probably discuss how to unify at least LDAP and MSSSQL into one script. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@anadrianmanrique anadrianmanrique

Labels

in review This issue or pull request is being analyzed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Dfte @anadrianmanrique