MSSQL --rid-brute without specifying credentials results in UnboundLocalError #1119
Description
Describe the bug
Running --rid-brute over MSSQL without specifying credentials results in UnboundLocalError.
To Reproduce
Run nxc mssql <host> --rid-brute. I tested this on two different MSSQL servers with same result.
nxc mssql DC01.eighteen.htb --rid-brute --debug
[21:28:04] DEBUG NXC VERSION: 1.5.0 - Yippie-Ki-Yay - f363124e - 67 netexec.py:82
DEBUG PYTHON VERSION: 3.13.11 (main, Dec 8 2025, 11:43:54) [GCC 15.2.0] netexec.py:83
DEBUG RUNNING ON: Linux Release: 6.18.5+kali-amd64 netexec.py:84
DEBUG Passed args: Namespace(version=False, threads=256, timeout=None, jitter=None, no_progress=False, log=None, verbose=False, debug=True, force_ipv6=False, dns_server=None, dns_tcp=False, dns_timeout=3, netexec.py:85
protocol='mssql', target=['DC01.eighteen.htb'], username=[], password=[], cred_id=[], ignore_pw_decoding=False, no_bruteforce=False, continue_on_success=False, gfail_limit=None, ufail_limit=None,
fail_limit=None, kerberos=False, use_kcache=False, aesKey=None, kdcHost=None, pfx_cert=None, pfx_base64=None, pfx_pass=None, pem_cert=None, pem_key=None, module=None, module_options=[], list_modules=None,
show_module_options=False, hash=[], port=1433, mssql_timeout=5, query=None, database=None, domain=None, local_auth=False, sam=False, lsa=False, no_output=False, execute=None, ps_execute=None,
force_ps32=False, obfs=False, amsi_bypass=None, clear_obfscripts=False, no_encode=False, put_file=None, get_file=None, rid_brute=4000)
DEBUG Protocol: mssql netexec.py:141
DEBUG Protocol Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/mssql.py netexec.py:144
DEBUG Protocol DB Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/mssql/database.py netexec.py:146
DEBUG symmetric using "pyCryptodomex" for "DES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "TDES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "AES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "RC4" __init__.py:55
DEBUG Protocol Object: <class 'protocol.mssql'>, type: <class 'type'> netexec.py:149
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:151
DEBUG DB Path: /home/kali/.nxc/workspaces/default/mssql.db netexec.py:154
DEBUG Creating ThreadPoolExecutor netexec.py:45
DEBUG Creating thread for <class 'protocol.mssql'> netexec.py:48
INFO Socket info: host=10.129.4.209, hostname=DC01.eighteen.htb, kerberos=False, ipv6=False, link-local ipv6=False connection.py:174
DEBUG Kicking off proto_flow connection.py:238
DEBUG Created connection object connection.py:243
[21:28:05] DEBUG NTLM challenge: mssql.py:131
b'NTLMSSP\x00\x02\x00\x00\x00\x10\x00\x10\x008\x00\x00\x00\x05\x02\x89\xa2\xc5p\x00\xe3r\xacS\xe4\x00\x00\x00\x00\x00\x00\x00\x00\x8e\x00\x8e\x00H\x00\x00\x00\n\x00\xf4e\x00\x00\x00\x0fE\x00I\x00G\x00H\x00
T\x00E\x00E\x00N\x00\x02\x00\x10\x00E\x00I\x00G\x00H\x00T\x00E\x00E\x00N\x00\x01\x00\x08\x00D\x00C\x000\x001\x00\x04\x00\x18\x00e\x00i\x00g\x00h\x00t\x00e\x00e\x00n\x00.\x00h\x00t\x00b\x00\x03\x00"\x00D\x0
0C\x000\x001\x00.\x00e\x00i\x00g\x00h\x00t\x00e\x00e\x00n\x00.\x00h\x00t\x00b\x00\x05\x00\x18\x00e\x00i\x00g\x00h\x00t\x00e\x00e\x00n\x00.\x00h\x00t\x00b\x00\x07\x00\x08\x00\xf2\x04\n\t\x9f\xa2\xdc\x01\x00
\x00\x00\x00'
DEBUG eighteen.htb 10.129.4.209 Windows 11 / Server 2025 Build 26100 0 database.py:91
DEBUG mssql add_host() - hosts returned: [(9, '10.129.4.209', 'DC01', 'eighteen.htb', 'Windows 11 / Server 2025 Build 26100', 0)] database.py:98
DEBUG Update Hosts: [{'id': 9, 'ip': '10.129.4.209', 'hostname': 'DC01', 'domain': 'eighteen.htb', 'os': 'Windows 11 / Server 2025 Build 26100', 'instances': 0}] database.py:126
INFO Resolved domain: eighteen.htb with dns, kdcHost: 10.129.4.209 mssql.py:153
[21:28:05] INFO MSSQL 10.129.4.209 1433 DC01 Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb) (EncryptionReq:False) mssql.py:157
DEBUG Calling command arguments connection.py:260
DEBUG Calling rid_brute() connection.py:282
[21:28:05] INFO MSSQL 10.129.4.209 1433 DC01 Error parsing SID. Not domain joined?: list index out of range mssql.py:436
ERROR Exception while calling proto_flow() on target DC01.eighteen.htb: cannot access local variable 'domain_sid' where it is not associated with a value connection.py:187
╭───────────────────────────────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────────────────────────────╮
│ /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/connection.py:177 in __init__ │
│ │
│ 174 │ │ self.logger.info(f"Socket info: host={self.host}, hostname={self.hostname}, │
│ kerberos={self.kerberos}, ipv6={self.is_ipv6}, link-local │
│ ipv6={self.is_link_local_ipv6}") │
│ 175 │ │ │
│ 176 │ │ try: │
│ ❱ 177 │ │ │ self.proto_flow() │
│ 178 │ │ except FileNotFoundError as e: │
│ 179 │ │ │ self.logger.error(f"File not found error on target {target}: {e}") │
│ 180 │ │ except Exception as e: │
│ │
│ /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/connection.py:261 in proto_flow │
│ │
│ 258 │ │ │ │ │ self.call_modules() │
│ 259 │ │ │ │ else: │
│ 260 │ │ │ │ │ self.logger.debug("Calling command arguments") │
│ ❱ 261 │ │ │ │ │ self.call_cmd_args() │
│ 262 │ │ │ self.disconnect() │
│ 263 │ │
│ 264 │ def call_cmd_args(self): │
│ │
│ /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/connection.py:283 in call_cmd_args │
│ │
│ 280 │ │ for attr, value in vars(self.args).items(): │
│ 281 │ │ │ if hasattr(self, attr) and callable(getattr(self, attr)) and value is not │
│ False and value is not None: │
│ 282 │ │ │ │ self.logger.debug(f"Calling {attr}()") │
│ ❱ 283 │ │ │ │ getattr(self, attr)() │
│ 284 │ │
│ 285 │ def call_modules(self): │
│ 286 │ │ """Calls modules and performs various actions based on the module's attributes. │
│ │
│ /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/mssql.py:446 in rid_brute │
│ │
│ 443 │ │ │ │ break │
│ 444 │ │ │ │
│ 445 │ │ │ # Batch query multiple sids at a time │
│ ❱ 446 │ │ │ sid_queries = [f"SELECT SUSER_SNAME(SID_BINARY(N'{domain_sid}-{i:d}'))" for │
│ i in range(so_far, so_far + sids_to_check)] │
│ 447 │ │ │ raw_output = self.conn.sql_query(";".join(sid_queries)) │
│ 448 │ │ │ │
│ 449 │ │ │ for n, item in enumerate(raw_output): │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
UnboundLocalError: cannot access local variable 'domain_sid' where it is not associated with a value
[21:28:06] DEBUG Closing connection to: DC01.eighteen.htb
Expected behavior
Command failing to authenticate without stacktrace.
NetExec info
- OS: Kali
- Version of nxc: 1.5.0 - Yippie-Ki-Yay - f363124 - 67
- Installed from: pipx