Full Report
A few weeks ago my friend Zblurx pushed a PR to Impacket in which he implemented the Channel Binding Token computation based on code that was developed by ly4k for the ldap3 library. This PR allowed any tool relying on the ldap3 library to be able to connect to LDAP servers even if LDAP signing and LDAPS channel binding are enabled. Looking at the code I thought it would be easy to implement the same mechanism on other protocols such as MSSQL which I was already working on pushing as PRs on NetExec.
Analysis Summary
# Tool/Technique: Channel Binding Token (CBT) Implementation for MSSQL/Impacket
## Overview
This summary details the implementation and functionality of Channel Binding Token (CBT) computation within tools communicating with Microsoft SQL Server (MSSQL) via the Tabular Data Stream (TDS) protocol, specifically focusing on updates to Impacket's `MSSQLClient.py` (via `TDS.py`) and NetExec. The primary purpose is to allow these tools to successfully connect to MSSQL servers configured to enforce **Extended Protection for Authentication (EPA)**, which requires a valid CBT transmitted over the NTLM authentication handshake within an encrypted (TLS/LDAPS) session.
## Technical Details
- Type: Technique / Tool Enhancements (Impacket, NetExec, ldap3 library)
- Platform: Windows (MSSQL Server targets)
- Capabilities: Enables successful NTLM authentication against MSSQL servers requiring EPA/Channel Binding over TLS connections.
- First Seen: The feature implementation detailed in the article is recent (following Zblurx's PR to Impacket for LDAP, and subsequent porting to MSSQL/NetExec).
## MITRE ATT&CK Mapping
The context primarily deals with authentication failure prevention for legitimate access, but the underlying mechanism relates to authentication protocols and network protection bypasses if leveraged maliciously:
- **TA0006 - Credential Access** (If used with stolen credentials against protected target)
- T1003 - OS Credential Dumping (Indirectly related to successful authentication)
- **TA0011 - Command and Control** (If used to establish a secure C2 channel post-authentication)
- T1071 - Application Layer Protocol (Relates to successful TDS communication)
## Functionality
### Core Capabilities
- **CBT Computation:** Implements the necessary logic to compute the Channel Binding Token based on the established TLS session parameters.
- **Integration with TDS:** Modifies Impacket's `TDS.py` to correctly calculate and include the Channel Binding value within the NTLM response sent to the MSSQL server during authentication.
- **Bypassing EPA Errors:** Resolves connection failures experienced when attempting NTLM authentication on MSSQL servers where EPA is enabled (which enforces channel binding checks).
### Advanced Features
- **Protocol Expansion:** The work involved extending previously implemented CBT functionality (from `ldap3` for LDAP) to the MSSQL TDS protocol layer.
- **Defeating NTLM Relay Defenses:** By correctly providing the CBT, the tool circumvents server-side checks designed to block classic NTLM relay attacks when TLS is negotiated (as EPA relies on this binding).
## Indicators of Compromise
No traditional malware IOCs are present as this relates to defensive tooling improvements.
- File Hashes: N/A
- File Names: `TDS.py`, `MSSQLClient.py` (Impacket components), `NetExec`
- Registry Keys: N/A
- Network Indicators: N/A (The goal is to enable connection to legitimate MSSQL ports, typically TCP 1433, using TLS/EPA.)
- Behavioral Indicators: Successful NTLM authentication negotiation over TLS against MSSQL where previously only unauthenticated or non-EPA connections were possible with the tool.
## Associated Threat Actors
The specific tool implementation is documented as being developed by security researchers/analysts (Pennyw0rth, Zblurx, ly4k) to improve penetration testing and auditing capabilities. Generally, threat actors benefit if they can use this technique to authenticate against highly secured MSSQL targets that mandate EPA for legitimate client tools.
## Detection Methods
This enhancement is not an offensive artifact itself, but rather a feature addition to legitimate access tools. Detection focuses on monitoring for the *use* of these tools against secured endpoints, or identifying *why* the connection is now succeeding where it previously failed.
- Signature-based detection: N/A
- Behavioral detection: Monitoring for tools like Impacket's MSSQL clients utilizing NTLM authentication over TLS connections to MSSQL servers.
- YARA rules: N/A
## Mitigation Strategies
The context strongly implies the following mitigations for MSSQL servers to ensure security against NTLM relay attacks:
- **Enforce Encryption (TLS/LDAPS):** Required for EPA to function.
- **Enforce Extended Protection for Authentication (EPA):** This forces clients to provide the Channel Binding Token.
- **Restrict Service Account Privileges:** Ensure the MSSQL service account has minimal required privileges.
- **Use Modern Tools:** Ensure clients (and testing tools) are updated to support CBT/EPA when connecting to secured endpoints.
## Related Tools/Techniques
- **Impacket toolkit:** The baseline library where `TDS.py` resides.
- **NetExec:** A tool that benefited from the ported CBT logic for MSSQL communication.
- **ldap3 library:** The original context where the CBT implementation originated for LDAP protocol support.
- **NTLM Relay Attacks:** The attack vector that EPA and CBT aim to prevent.