Tickets Kerberos - Silver Ticket
Share
Continuing with the deliveries of Kerberos Tickets, in past publications we have talked about the Golden Ticket, this time we will be talking about the Silver Ticket.
SILVER TICKET
The Silver Ticket attack involves the creation of a Ticket Granting Service (TGS), which allows attackers to gain access to a specific service in an Active Directory environment without the need to authenticate through the domain controller (Key Distribution Center, KDC). ).
This method is based on acquiring the NTLM hash or password of a service account, to forge a Ticket Granting Service (TGS). These credentials can be obtained in different ways during the Domain attack, such as through tools such as Responder or through Kerberoasting techniques. After creating this spoofed ticket, an attacker can access the specific service, posing as any user, usually with the goal of gaining administrative privileges.
If instead of obtaining the credentials in clear text or NTLM hash, the AES keys could be obtained (for example, through a memory dump), it is recommended to use these AES keys for the creation of the tickets, since it is an safer and less detectable way.
Explotation:
First, let's assume that we have obtained a session as SYSTEM on a machine in the domain. This, for example, could have happened after compromising an IIS server and subsequent escalation of privileges using a Potato exploit.
After gaining control of the server, we can obtain the Kerberos keys with mimikatz and the command sekurlsa::ekeys
Ticket creation
- Service: Name of the service to which the ticket will be requested
- Aes256: Aes256 key of the previously extracted machine account
- User: User to be impersonalized, in this case a Domain Admin
- Domain: Domain name
- Sid: SID of the domain
Import the ticket
- Program: Command to execute where the ticket will be injected
- Domain: Domain name
- Username: Domain user
- Password: User password. It is not necessary to know the user's real password.
- Ticket: The ticket created previously