MSSQL login shows that credentials are both valid and invalid #1115
Description
Describe the bug
When testing credentials against a MSSQL server nxc shows that the credentials are both valid and invalid. This only happens when using a specific casing of the username.
To my surprise I just found out that MSSQL logins can be case sensitive: https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/logging-in-to-sql-server?view=sql-server-ver17
"If you installed SQL Server with a case-sensitive collation, your SQL Server login is also case sensitive."
But I'm not sure if that is related.
To Reproduce
Running nxc mssql --port 6520 s200401.overwatch.htb -u 'sqlsvc' -p 'TI0LKcfHzZw1Vv' works as expected and nxc shows the [+] since the credentials are valid.
Running the same command but with the username cased differently. For example SQLSVC or SQLsVc results in nxc showing both [+] and [-]. See screenshot below.
I observed this behavior on both the "Overwatch" and "Signed" Hack The Box machines.
Successful command with debug:
nxc mssql --port 6520 s200401.overwatch.htb -u 'sqlsvc' -p 'TI0LKcfHzZw1Vv' --debug
[11:49:23] DEBUG NXC VERSION: 1.5.0 - Yippie-Ki-Yay - f363124e - 67 netexec.py:82
DEBUG PYTHON VERSION: 3.13.11 (main, Dec 8 2025, 11:43:54) [GCC 15.2.0] netexec.py:83
DEBUG RUNNING ON: Linux Release: 6.18.5+kali-amd64 netexec.py:84
DEBUG Passed args: Namespace(version=False, threads=256, timeout=None, jitter=None, no_progress=False, log=None, verbose=False, debug=True, force_ipv6=False, dns_server=None, dns_tcp=False, dns_timeout=3, netexec.py:85
protocol='mssql', target=['s200401.overwatch.htb'], username=['sqlsvc'], password=['TI0LKcfHzZw1Vv'], cred_id=[], ignore_pw_decoding=False, no_bruteforce=False, continue_on_success=False,
gfail_limit=None, ufail_limit=None, fail_limit=None, kerberos=False, use_kcache=False, aesKey=None, kdcHost=None, pfx_cert=None, pfx_base64=None, pfx_pass=None, pem_cert=None, pem_key=None, module=None,
module_options=[], list_modules=None, show_module_options=False, hash=[], port=6520, mssql_timeout=5, query=None, database=None, domain=None, local_auth=False, sam=False, lsa=False, no_output=False,
execute=None, ps_execute=None, force_ps32=False, obfs=False, amsi_bypass=None, clear_obfscripts=False, no_encode=False, put_file=None, get_file=None, rid_brute=None)
DEBUG Protocol: mssql netexec.py:141
DEBUG Protocol Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/mssql.py netexec.py:144
DEBUG Protocol DB Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/mssql/database.py netexec.py:146
DEBUG symmetric using "pyCryptodomex" for "DES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "TDES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "AES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "RC4" __init__.py:55
DEBUG Protocol Object: <class 'protocol.mssql'>, type: <class 'type'> netexec.py:149
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:151
DEBUG DB Path: /home/kali/.nxc/workspaces/default/mssql.db netexec.py:154
DEBUG Creating ThreadPoolExecutor netexec.py:45
DEBUG Creating thread for <class 'protocol.mssql'> netexec.py:48
INFO Socket info: host=10.129.4.168, hostname=s200401.overwatch.htb, kerberos=False, ipv6=False, link-local ipv6=False connection.py:174
DEBUG Kicking off proto_flow connection.py:238
DEBUG Created connection object connection.py:243
[11:49:24] DEBUG NTLM challenge: mssql.py:131
b'NTLMSSP\x00\x02\x00\x00\x00\x12\x00\x12\x008\x00\x00\x00\x05\x02\x89\xa2\x93\xc8Y\x02\x03\x98y\xe5\x00\x00\x00\x00\x00\x00\x00\x00\xa2\x00\xa2\x00J\x00\x00\x00\n\x00|O\x00\x00\x00\x0fO\x00V\x00E\x00R\x00
W\x00A\x00T\x00C\x00H\x00\x02\x00\x12\x00O\x00V\x00E\x00R\x00W\x00A\x00T\x00C\x00H\x00\x01\x00\x0e\x00S\x002\x000\x000\x004\x000\x001\x00\x04\x00\x1a\x00o\x00v\x00e\x00r\x00w\x00a\x00t\x00c\x00h\x00.\x00h\
x00t\x00b\x00\x03\x00*\x00S\x002\x000\x000\x004\x000\x001\x00.\x00o\x00v\x00e\x00r\x00w\x00a\x00t\x00c\x00h\x00.\x00h\x00t\x00b\x00\x05\x00\x1a\x00o\x00v\x00e\x00r\x00w\x00a\x00t\x00c\x00h\x00.\x00h\x00t\x
00b\x00\x07\x00\x08\x00\xa7\xad\x87\x93V\xa2\xdc\x01\x00\x00\x00\x00'
DEBUG overwatch.htb 10.129.4.168 Windows Server 2022 Build 20348 0 database.py:91
DEBUG mssql add_host() - hosts returned: [(7, '10.129.4.168', 'S200401', 'overwatch.htb', 'Windows Server 2022 Build 20348', 0)] database.py:98
DEBUG Update Hosts: [{'id': 7, 'ip': '10.129.4.168', 'hostname': 'S200401', 'domain': 'overwatch.htb', 'os': 'Windows Server 2022 Build 20348', 'instances': 0}] database.py:126
INFO Resolved domain: overwatch.htb with dns, kdcHost: 10.129.4.168 mssql.py:153
[11:49:24] INFO MSSQL 10.129.4.168 6520 S200401 Windows Server 2022 Build 20348 (name:S200401) (domain:overwatch.htb) (EncryptionReq:False) mssql.py:157
DEBUG Trying to authenticate using plaintext with domain connection.py:505
[11:49:25] INFO MSSQL 10.129.4.168 6520 S200401 overwatch.htb\sqlsvc:TI0LKcfHzZw1Vv mssql.py:221
[11:49:25] DEBUG add_credential(credtype=plaintext, domain=overwatch.htb, username=sqlsvc, password=TI0LKcfHzZw1Vv, pillaged_from=None) database.py:172
DEBUG Using 'ip' column for filtering database.py:116
DEBUG filter_term is an IP address: 10.129.4.168 database.py:127
DEBUG Calling command arguments connection.py:260
DEBUG Closing connection to: s200401.overwatch.htb
Command with different casing:
nxc mssql --port 6520 s200401.overwatch.htb -u 'SQLSVC' -p 'TI0LKcfHzZw1Vv' --debug
[11:49:34] DEBUG NXC VERSION: 1.5.0 - Yippie-Ki-Yay - f363124e - 67 netexec.py:82
DEBUG PYTHON VERSION: 3.13.11 (main, Dec 8 2025, 11:43:54) [GCC 15.2.0] netexec.py:83
DEBUG RUNNING ON: Linux Release: 6.18.5+kali-amd64 netexec.py:84
DEBUG Passed args: Namespace(version=False, threads=256, timeout=None, jitter=None, no_progress=False, log=None, verbose=False, debug=True, force_ipv6=False, dns_server=None, dns_tcp=False, dns_timeout=3, netexec.py:85
protocol='mssql', target=['s200401.overwatch.htb'], username=['SQLSVC'], password=['TI0LKcfHzZw1Vv'], cred_id=[], ignore_pw_decoding=False, no_bruteforce=False, continue_on_success=False,
gfail_limit=None, ufail_limit=None, fail_limit=None, kerberos=False, use_kcache=False, aesKey=None, kdcHost=None, pfx_cert=None, pfx_base64=None, pfx_pass=None, pem_cert=None, pem_key=None, module=None,
module_options=[], list_modules=None, show_module_options=False, hash=[], port=6520, mssql_timeout=5, query=None, database=None, domain=None, local_auth=False, sam=False, lsa=False, no_output=False,
execute=None, ps_execute=None, force_ps32=False, obfs=False, amsi_bypass=None, clear_obfscripts=False, no_encode=False, put_file=None, get_file=None, rid_brute=None)
DEBUG Protocol: mssql netexec.py:141
DEBUG Protocol Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/mssql.py netexec.py:144
DEBUG Protocol DB Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/mssql/database.py netexec.py:146
DEBUG symmetric using "pyCryptodomex" for "DES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "TDES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "AES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "RC4" __init__.py:55
DEBUG Protocol Object: <class 'protocol.mssql'>, type: <class 'type'> netexec.py:149
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:151
DEBUG DB Path: /home/kali/.nxc/workspaces/default/mssql.db netexec.py:154
DEBUG Creating ThreadPoolExecutor netexec.py:45
DEBUG Creating thread for <class 'protocol.mssql'> netexec.py:48
INFO Socket info: host=10.129.4.168, hostname=s200401.overwatch.htb, kerberos=False, ipv6=False, link-local ipv6=False connection.py:174
DEBUG Kicking off proto_flow connection.py:238
DEBUG Created connection object connection.py:243
[11:49:35] DEBUG NTLM challenge: mssql.py:131
b'NTLMSSP\x00\x02\x00\x00\x00\x12\x00\x12\x008\x00\x00\x00\x05\x02\x89\xa2K\xd2*\xedF\xc1\x13\xcc\x00\x00\x00\x00\x00\x00\x00\x00\xa2\x00\xa2\x00J\x00\x00\x00\n\x00|O\x00\x00\x00\x0fO\x00V\x00E\x00R\x00W\x
00A\x00T\x00C\x00H\x00\x02\x00\x12\x00O\x00V\x00E\x00R\x00W\x00A\x00T\x00C\x00H\x00\x01\x00\x0e\x00S\x002\x000\x000\x004\x000\x001\x00\x04\x00\x1a\x00o\x00v\x00e\x00r\x00w\x00a\x00t\x00c\x00h\x00.\x00h\x00
t\x00b\x00\x03\x00*\x00S\x002\x000\x000\x004\x000\x001\x00.\x00o\x00v\x00e\x00r\x00w\x00a\x00t\x00c\x00h\x00.\x00h\x00t\x00b\x00\x05\x00\x1a\x00o\x00v\x00e\x00r\x00w\x00a\x00t\x00c\x00h\x00.\x00h\x00t\x00b
\x00\x07\x00\x08\x00\xcd\xd4E\x9aV\xa2\xdc\x01\x00\x00\x00\x00'
DEBUG overwatch.htb 10.129.4.168 Windows Server 2022 Build 20348 0 database.py:91
DEBUG mssql add_host() - hosts returned: [(7, '10.129.4.168', 'S200401', 'overwatch.htb', 'Windows Server 2022 Build 20348', 0)] database.py:98
DEBUG Update Hosts: [{'id': 7, 'ip': '10.129.4.168', 'hostname': 'S200401', 'domain': 'overwatch.htb', 'os': 'Windows Server 2022 Build 20348', 'instances': 0}] database.py:126
INFO Resolved domain: overwatch.htb with dns, kdcHost: 10.129.4.168 mssql.py:153
[11:49:35] INFO MSSQL 10.129.4.168 6520 S200401 Windows Server 2022 Build 20348 (name:S200401) (domain:overwatch.htb) (EncryptionReq:False) mssql.py:157
DEBUG Trying to authenticate using plaintext with domain connection.py:505
[11:49:37] INFO MSSQL 10.129.4.168 6520 S200401 overwatch.htb\SQLSVC:TI0LKcfHzZw1Vv mssql.py:221
[11:49:37] DEBUG add_credential(credtype=plaintext, domain=overwatch.htb, username=SQLSVC, password=TI0LKcfHzZw1Vv, pillaged_from=None) database.py:172
[11:49:37] INFO MSSQL 10.129.4.168 6520 S200401 overwatch.htb\SQLSVC:TI0LKcfHzZw1Vv mssql.py:238
DEBUG Closing connection to: s200401.overwatch.htb
Expected behavior
Either just valid or invalid should be shown.
Screenshots
NetExec info
- OS: Kali
- Version of nxc: 1.5.0 - Yippie-Ki-Yay - f363124 - 67
- Installed from: pipx