Skip to content

Added --get-sid flag on mssql protocol#1099

Open
seriotonctf wants to merge 1 commit intoPennyw0rth:mainfrom
seriotonctf:mssql-get-sid
Open

Added --get-sid flag on mssql protocol#1099
seriotonctf wants to merge 1 commit intoPennyw0rth:mainfrom
seriotonctf:mssql-get-sid

Conversation

@seriotonctf
Copy link

@seriotonctf seriotonctf commented Feb 7, 2026

Added --get-sid flag on mssql protocol

Description

The --get-sid flag has been added to the MSSQL protocol, providing a way to retrieve the domain SID via SQL queries (DEFAULT_DOMAIN() and SUSER_SID()), matching the existing --get-sid functionality already available in the LDAP protocol.

This reuses the same SID resolution logic already present in rid_brute (querying SUSER_SID('DOMAIN\Domain Admins') and parsing with impacket's SID class), but exposes it as a standalone enumeration option.

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Deprecation of feature or functionality
  • This change requires a documentation update
  • This requires a third party update (such as Impacket, Dploot, lsassy, etc)

Screenshots (if appropriate):

ss

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

  • I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
  • I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
  • New and existing e2e tests pass locally with my changes
  • If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)
mpgn
mpgn reviewed Feb 7, 2026
View reviewed changes
nxc/protocols/mssql.py
self.logger.debug(f"get_sid: DEFAULT_DOMAIN() result: {query_output}")
domain = query_output[0][""]

raw_sid = self.conn.sql_query(f"SELECT SUSER_SID('{domain}\\Domain Admins')")[0][""]
Copy link
Collaborator

@mpgn mpgn Feb 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

quick comment;

  • it only work for english system
  • what if it's local (no domain join)
@NeffIsBack
Copy link
Member

NeffIsBack commented Feb 10, 2026

Hi and thanks for the PR. However the points by @mpgn are pretty valid concerns.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

waiting for response

3 participants

@seriotonctf @NeffIsBack @mpgn