ncrack fails on mssql service when creds require domain

[axzhandul]

I seem to be unable to get ncrack to work on the mssql service when Windows auth (the SQL Server default auth config) requires a domain with the username to authenticate. I have tried several forms of the command to try to get this to work (actual host, port, username, and password redacted):

ncrack -vvvv -ddddd --user myusername --pass mypassword mssql://10.10.10.51:7777 -m mssql:domain=DOMAIN
ncrack -vvvv -ddddd --user myusername --pass mypassword mssql://10.10.10.51:7777 -m mssql:domain=DOMAIN,db=MyDatabase
ncrack -vvvv -ddddd --user DOMAIN\\myusername --pass mypassword mssql://10.10.10.51:7777
ncrack -vvvv -ddddd --user DOMAIN\\myusername --pass mypassword mssql://10.10.10.51:7777 -m mssql:domain=DOMAIN
ncrack -vvvv -ddddd --user DOMAIN\\myusername --pass mypassword mssql://10.10.10.51:7777 -m mssql:domain=DOMAIN,db=MyDatabase
ncrack -vvvv -ddddd --user "DOMAIN\myusername" --pass mypassword mssql://10.10.10.51:7777
ncrack -vvvv -ddddd --user "DOMAIN\myusername" --pass mypassword mssql://10.10.10.51:7777 -m mssql:domain=DOMAIN
ncrack -vvvv -ddddd --user "DOMAIN\myusername" --pass mypassword mssql://10.10.10.51:7777 -m mssql:domain=DOMAIN,db=MyDatabase

In all cases, the output is similar:

Starting Ncrack 0.7 ( http://ncrack.org ) at 2022-03-10 20:43 UTC

mssql://10.10.10.51:7777 (EID 1) Attempts: total 1 completed 1 supported 1 --- rate 6.48 
mssql://10.10.10.51:7777 finished.
nsock_loop returned 3


Ncrack done: 1 service scanned in 3.00 seconds.
Probes sent: 1 | timed-out: 0 | prematurely-closed: 0

Ncrack finished.

By outputting the plan, I can see that the db and domain parameters, as well as the service and port seem to be getting recognized properly:

ncrack -vvvv -ddddd --user myusername --pass mypassword mssql://10.10.10.51:7777 -m mssql:domain=DOMAIN,db=MyDatabase -sL 

Starting Ncrack 0.7 ( http://ncrack.org ) at 2022-03-10 20:50 UTC

----- [ Timing Template ] -----
cl=7, CL=80, at=0, cd=0, cr=30, to=0

----- [ ServicesTable ] -----
SERVICE            cl  CL  at  cd  cr  to  ssl path db                                               domain
ftp:21             N/A N/A N/A N/A N/A N/A no  null null                                             null
ssh:22             N/A N/A N/A N/A N/A N/A no  null null                                             null
telnet:23          N/A N/A N/A N/A N/A N/A no  null null                                             null
http:80            N/A N/A N/A N/A N/A N/A no  null null                                             null
wordpress:80       N/A N/A N/A N/A N/A N/A no  null null                                             null
wp:80              N/A N/A N/A N/A N/A N/A no  null null                                             null
joomla:80          N/A N/A N/A N/A N/A N/A no  null null                                             null
dicom:104          N/A N/A N/A N/A N/A N/A no  null null                                             null
pop3:110           N/A N/A N/A N/A N/A N/A no  null null                                             null
imap:143           N/A N/A N/A N/A N/A N/A no  null null                                             null
netbios-ssn:445    N/A N/A N/A N/A N/A N/A no  null null                                             null
smb:445            N/A N/A N/A N/A N/A N/A no  null null                                             null
smb2:445           N/A N/A N/A N/A N/A N/A no  null null                                             null
smb:139            N/A N/A N/A N/A N/A N/A no  null null                                             null
https:443          N/A N/A N/A N/A N/A N/A yes null null                                             null
owa:443            N/A N/A N/A N/A N/A N/A yes null null                                             null
wordpress-tls:443  N/A N/A N/A N/A N/A N/A yes null null                                             null
wp-tls:443         N/A N/A N/A N/A N/A N/A yes null null                                             null
sip:5060           N/A N/A N/A N/A N/A N/A no  null null                                             null
pop3s:995          N/A N/A N/A N/A N/A N/A yes null null                                             null
mssql:1433         N/A N/A N/A N/A N/A N/A no  null MyDatabase                                       DOMAIN
mqtt:1883          N/A N/A N/A N/A N/A N/A no  null null                                             null
mysql:3306         N/A N/A N/A N/A N/A N/A no  null null                                             null
ms-wbt-server:3389 N/A N/A N/A N/A N/A N/A no  null null                                             null
rdp:3389           N/A N/A N/A N/A N/A N/A no  null null                                             null
psql:5432          N/A N/A N/A N/A N/A N/A no  null null                                             null
vnc:5801           N/A N/A N/A N/A N/A N/A no  null null                                             null
vnc:5900           N/A N/A N/A N/A N/A N/A no  null null                                             null
vnc:5901           N/A N/A N/A N/A N/A N/A no  null null                                             null
vnc:6001           N/A N/A N/A N/A N/A N/A no  null null                                             null
redis:6379         N/A N/A N/A N/A N/A N/A no  null null                                             null
winrm:5985         N/A N/A N/A N/A N/A N/A no  null null                                             Workstation
winrm:5986         N/A N/A N/A N/A N/A N/A no  null null                                             Workstation
cassandra:9160     N/A N/A N/A N/A N/A N/A no  null null                                             null
cassandra:9042     N/A N/A N/A N/A N/A N/A no  null null                                             null
mongodb:27017      N/A N/A N/A N/A N/A N/A no  null admin                                            null
cvs:2401           N/A N/A N/A N/A N/A N/A no  null null                                             null

----- [ Targets ] -----
Host: 10.10.10.51
  mssql:51111 cl=7, CL=80, at=0, cd=0, cr=30, to=0ms, ssl=no, path=/, db=MyDatabase, domain=DOMAIN


Ncrack done: 1 service would be scanned.
Probes sent: 0 | timed-out: 0 | prematurely-closed: 0

Ncrack finished.

But for some reason it fails. By ratcheting the debug level way up, I can see that the login is failing (and does likewise no matter what form of the command above I use):

Starting Ncrack 0.7 ( http://ncrack.org ) at 2022-03-10 20:54 UTC

mssql://10.10.10.51:7777 (EID 1) Initiating new Connection
mssql://10.10.10.51:7777 pushed to list FULL
mssql://10.10.10.51:7777 (EID 1) Login failed: 'myusername' 'mypassword'
mssql://10.10.10.51:7777 (EID 1) Connection closed by peer
mssql://10.10.10.51:7777 popped from list FULL
mssql://10.10.10.51:7777 (EID 1) Attempts: total 1 completed 1 supported 1 --- rate 6.28 
mssql://10.10.10.51:7777 Password list finished!
mssql://10.10.10.51:7777 pushed to list FINISHED
mssql://10.10.10.51:7777 finished.
nsock_loop returned 3


Ncrack done: 1 service scanned in 3.00 seconds.
Probes sent: 1 | timed-out: 0 | prematurely-closed: 0

Ncrack finished.

Here are my system particulars:

• OS:

└─$ cat /etc/os-release                                       
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
ID=kali
VERSION="2021.4"
VERSION_ID="2021.4"
VERSION_CODENAME="kali-rolling"
ID_LIKE=Debbie

• Ncrack version:

Starting Ncrack 0.7 ( http://ncrack.org )

• MS SQL SERVER:

Microsoft SQL Server 2014, 12.0.6433.1 (X64)

Any help getting this to work would be greatly appreciated...thanks!