RelayKing’s MSSQL detector checks SQL Server instances on port 1433 for Extended Protection for Authentication (EPA) enforcement. If EPA is not enforced, an attacker who captures NTLM authentication can relay it directly to the SQL Server instance.
What is checked
| Check | Auth required | Notes |
|---|
| Port open | No | Quick 3-second socket probe before any further checks |
| EPA enforcement | Yes | Attempted login; response inspected for channel binding / extended protection error strings |
Relay condition
EPA not enforced → RELAYABLE
EPA enforced → NOT relayable
epa_enforced = None (unknown) is treated conservatively — the host is not included in the relay list when the result cannot be determined.
EPA detection logic
RelayKing uses impacket’s MSSQL class to attempt a login and inspects the error response:
| Login outcome | epa_enforced value | Notes |
|---|
| Login succeeds | False | EPA not enforced |
Error contains channel binding or extended protection | True | EPA enforced |
Error contains encryption required | True (ENFORCED (encryption required)) | Encryption requirement indicates EPA |
Login fails with login failed or authentication failed | False (NOT_ENFORCED (auth failed)) | Auth failure not caused by EPA; EPA likely not enforced but unconfirmed |
--null-auth mode | None | Cannot test EPA without credentials |
| Kerberos auth failure | Error string returned | Kerberos fallback to NTLM is suppressed to prevent lockout |
When credentials are provided but authentication fails with a generic login error (bad password, account locked out, etc.), RelayKing records NOT_ENFORCED (auth failed) rather than ENFORCED. This reflects that the failure was due to credentials, not EPA. Confirm with valid credentials when possible.
Flags and port
| Parameter | Value |
|---|
--protocols value | mssql |
| Default port | 1433 |
| Auth required | Yes (for reliable EPA check) |
--protocols mssql or include it in a comma-separated list.
Example commands
python3 relayking.py -u lowpriv -p 'P@ssw0rd' -d corp.local \
--dc-ip 10.0.0.1 -vv --audit \
--protocols smb,ldap,ldaps,mssql,http,https \
--threads 10 -o plaintext,json \
--output-file relayking-scan \
--proto-portscan --gen-relay-list relaytargets.txt
python3 relayking.py -u sa -p 'P@ssw0rd' -d corp.local \
-vv --protocols mssql -o plaintext SQLSERVER1.CORP.LOCAL
python3 relayking.py -u lowpriv -d corp.local \
--nthash aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 \
-vv --protocols mssql -o plaintext 10.0.0.50
Relay list output
SQL Server instances where epa_enforced == False are included in the relay list generated by --gen-relay-list. Relaying to MSSQL enables executing queries under the relayed user’s SQL permissions — including xp_cmdshell if the user has sysadmin rights.
Use --proto-portscan to skip hosts that do not have port 1433 open. The MSSQL detector performs its own 3-second port probe before attempting any login, but --proto-portscan avoids queuing the check entirely for hosts where the port is closed.
