MSSQL detection

RelayKing’s MSSQL detector checks SQL Server instances on port 1433 for Extended Protection for Authentication (EPA) enforcement. If EPA is not enforced, an attacker who captures NTLM authentication can relay it directly to the SQL Server instance.

What is checked

Check	Auth required	Notes
Port open	No	Quick 3-second socket probe before any further checks
EPA enforcement	Yes	Attempted login; response inspected for `channel binding` / `extended protection` error strings

Relay condition

EPA not enforced  →  RELAYABLE
EPA enforced      →  NOT relayable

epa_enforced = None (unknown) is treated conservatively — the host is not included in the relay list when the result cannot be determined.

EPA detection logic

RelayKing uses impacket’s MSSQL class to attempt a login and inspects the error response:

Login outcome	`epa_enforced` value	Notes
Login succeeds	`False`	EPA not enforced
Error contains `channel binding` or `extended protection`	`True`	EPA enforced
Error contains `encryption required`	`True` (`ENFORCED (encryption required)`)	Encryption requirement indicates EPA
Login fails with `login failed` or `authentication failed`	`False` (`NOT_ENFORCED (auth failed)`)	Auth failure not caused by EPA; EPA likely not enforced but unconfirmed
`--null-auth` mode	`None`	Cannot test EPA without credentials
Kerberos auth failure	Error string returned	Kerberos fallback to NTLM is suppressed to prevent lockout

When credentials are provided but authentication fails with a generic login error (bad password, account locked out, etc.), RelayKing records NOT_ENFORCED (auth failed) rather than ENFORCED. This reflects that the failure was due to credentials, not EPA. Confirm with valid credentials when possible.

Flags and port

Parameter	Value
`--protocols` value	`mssql`
Default port	`1433`
Auth required	Yes (for reliable EPA check)

MSSQL is not included in the default protocol set. Pass --protocols mssql or include it in a comma-separated list.

Example commands

Full audit including MSSQL
Single target MSSQL check
MSSQL with pass-the-hash

python3 relayking.py -u lowpriv -p 'P@ssw0rd' -d corp.local \
  --dc-ip 10.0.0.1 -vv --audit \
  --protocols smb,ldap,ldaps,mssql,http,https \
  --threads 10 -o plaintext,json \
  --output-file relayking-scan \
  --proto-portscan --gen-relay-list relaytargets.txt

python3 relayking.py -u sa -p 'P@ssw0rd' -d corp.local \
  -vv --protocols mssql -o plaintext SQLSERVER1.CORP.LOCAL

python3 relayking.py -u lowpriv -d corp.local \
  --nthash aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 \
  -vv --protocols mssql -o plaintext 10.0.0.50

Relay list output

SQL Server instances where epa_enforced == False are included in the relay list generated by --gen-relay-list. Relaying to MSSQL enables executing queries under the relayed user’s SQL permissions — including xp_cmdshell if the user has sysadmin rights.

Use --proto-portscan to skip hosts that do not have port 1433 open. The MSSQL detector performs its own 3-second port probe before attempting any login, but --proto-portscan avoids queuing the check entirely for hosts where the port is closed.

Get Started

Command Reference

Protocol Detection

Advanced Detection

Usage Guides

Reference

What is checked

Relay condition

EPA detection logic

Flags and port

Example commands

Relay list output

Get Started

Command Reference

Protocol Detection

Advanced Detection

Usage Guides

Reference

Documentation Index

​What is checked

​Relay condition

​EPA detection logic

​Flags and port

​Example commands

​Relay list output

What is checked

Relay condition

EPA detection logic

Flags and port

Example commands

Relay list output