Infinite loop when using --rid-brute over MSSQL with null credentials #1118
Description
Describe the bug
Using --rid-brute over MSSQL with empty credentials results in hanging with a CPU core using 100% CPU.
To Reproduce
Run nxc mssql <host> -u '' -p '' --rid-brute. I tested this on two different MSSQL servers with same results.
Credentials are not valid:
nxc mssql DC01.eighteen.htb -u '' -p ''
MSSQL 10.129.4.209 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb) (EncryptionReq:False)
MSSQL 10.129.4.209 1433 DC01 [-] eighteen.htb\: (Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Please try again with or without '--local-auth')
Command causing infinite loop:
nxc mssql DC01.eighteen.htb -u '' -p '' --rid-brute --debug
[21:20:51] DEBUG NXC VERSION: 1.5.0 - Yippie-Ki-Yay - f363124e - 67 netexec.py:82
DEBUG PYTHON VERSION: 3.13.11 (main, Dec 8 2025, 11:43:54) [GCC 15.2.0] netexec.py:83
DEBUG RUNNING ON: Linux Release: 6.18.5+kali-amd64 netexec.py:84
DEBUG Passed args: Namespace(version=False, threads=256, timeout=None, jitter=None, no_progress=False, log=None, verbose=False, debug=True, force_ipv6=False, dns_server=None, dns_tcp=False, dns_timeout=3, netexec.py:85
protocol='mssql', target=['DC01.eighteen.htb'], username=[''], password=[''], cred_id=[], ignore_pw_decoding=False, no_bruteforce=False, continue_on_success=False, gfail_limit=None, ufail_limit=None,
fail_limit=None, kerberos=False, use_kcache=False, aesKey=None, kdcHost=None, pfx_cert=None, pfx_base64=None, pfx_pass=None, pem_cert=None, pem_key=None, module=None, module_options=[], list_modules=None,
show_module_options=False, hash=[], port=1433, mssql_timeout=5, query=None, database=None, domain=None, local_auth=False, sam=False, lsa=False, no_output=False, execute=None, ps_execute=None,
force_ps32=False, obfs=False, amsi_bypass=None, clear_obfscripts=False, no_encode=False, put_file=None, get_file=None, rid_brute=4000)
DEBUG Protocol: mssql netexec.py:141
DEBUG Protocol Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/mssql.py netexec.py:144
DEBUG Protocol DB Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/mssql/database.py netexec.py:146
[21:20:52] DEBUG symmetric using "pyCryptodomex" for "DES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "TDES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "AES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "RC4" __init__.py:55
DEBUG Protocol Object: <class 'protocol.mssql'>, type: <class 'type'> netexec.py:149
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:151
DEBUG DB Path: /home/kali/.nxc/workspaces/default/mssql.db netexec.py:154
DEBUG Creating ThreadPoolExecutor netexec.py:45
DEBUG Creating thread for <class 'protocol.mssql'> netexec.py:48
INFO Socket info: host=10.129.4.209, hostname=DC01.eighteen.htb, kerberos=False, ipv6=False, link-local ipv6=False connection.py:174
DEBUG Kicking off proto_flow connection.py:238
DEBUG Created connection object connection.py:243
[21:20:53] DEBUG NTLM challenge: mssql.py:131
b'NTLMSSP\x00\x02\x00\x00\x00\x10\x00\x10\x008\x00\x00\x00\x05\x02\x89\xa2c\xc2\xe0\x88\xa3\x94\xac\xd4\x00\x00\x00\x00\x00\x00\x00\x00\x8e\x00\x8e\x00H\x00\x00\x00\n\x00\xf4e\x00\x00\x00\x0fE\x00I\x00G\x0
0H\x00T\x00E\x00E\x00N\x00\x02\x00\x10\x00E\x00I\x00G\x00H\x00T\x00E\x00E\x00N\x00\x01\x00\x08\x00D\x00C\x000\x001\x00\x04\x00\x18\x00e\x00i\x00g\x00h\x00t\x00e\x00e\x00n\x00.\x00h\x00t\x00b\x00\x03\x00"\x
00D\x00C\x000\x001\x00.\x00e\x00i\x00g\x00h\x00t\x00e\x00e\x00n\x00.\x00h\x00t\x00b\x00\x05\x00\x18\x00e\x00i\x00g\x00h\x00t\x00e\x00e\x00n\x00.\x00h\x00t\x00b\x00\x07\x00\x08\x00\xf0\x839\x07\x9e\xa2\xdc\
x01\x00\x00\x00\x00'
DEBUG eighteen.htb 10.129.4.209 Windows 11 / Server 2025 Build 26100 0 database.py:91
DEBUG mssql add_host() - hosts returned: [(9, '10.129.4.209', 'DC01', 'eighteen.htb', 'Windows 11 / Server 2025 Build 26100', 0)] database.py:98
DEBUG Update Hosts: [{'id': 9, 'ip': '10.129.4.209', 'hostname': 'DC01', 'domain': 'eighteen.htb', 'os': 'Windows 11 / Server 2025 Build 26100', 'instances': 0}] database.py:126
INFO Resolved domain: eighteen.htb with dns, kdcHost: 10.129.4.209 mssql.py:153
[21:20:53] INFO MSSQL 10.129.4.209 1433 DC01 Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb) (EncryptionReq:False) mssql.py:157
DEBUG Trying to authenticate using plaintext with domain connection.py:505
[21:20:54] INFO MSSQL 10.129.4.209 1433 DC01 eighteen.htb\: (Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Please try again with or without '--local-auth') mssql.py:238
[21:20:54] DEBUG Calling command arguments connection.py:260
DEBUG Calling rid_brute()
Expected behavior
Command should error out and not enter infinite loop.
NetExec info
- OS: Kali
- Version of nxc: 1.5.0 - Yippie-Ki-Yay - f363124 - 67
- Installed from: pipx