persistence: AD - Silver Ticket

overview

Description

The Silver ticket attack involves the creation of a valid Ticket Granting Service (TGS) for a specific service when the password hash of the service is obtained. This allows unauthorized access to the service by forging a customized TGS. Silver tickets have a narrower scope compared to Golden tickets, as they only provide access to a specific resource (e.g., MSSQL) and the system hosting that resource. However, adversaries capable of forging Silver tickets can create and use TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more challenging.

If the target service operates under a user account context, like MSSQL, the password hash of the service account is required for Silver Ticket creation. In addition to user accounts, computers themselves host services, with the most common example being the Windows file share that utilizes the "CIFS" service. In the case of a computer-hosted service, the associated computer account's password hash is the essential data needed to generate a Silver Ticket.

Read more: How Attackers Use Kerberos Silver Tickets to Exploit Systems

Tasks

Lab Environment

In this lab environment, you will be provided with GUI access to a Windows machine (2012). This machine will serve as your attacker machine. Your task in this lab is to generate a Silver ticket, targeting the CIFS service on the Domain Controller.

Objective: Perform a Silver ticket attack targeting the CIFS service on the Domain Controller.

Note: All the tools are present in the C:\Tools directory.

Tools

The best tools for this lab are:

  • PowerView

  • Invoke-TokenManipulation.ps1

  • Invoke-Mimikatz.ps1

Solution

Solution

Step 1: Open the lab link to access the attacker machine:

Content Image

Step 2: Navigate to C:\Tools. Gather information about the current domain using PowerView.ps1. Run the following commands:

Commands:

Content Image

The name of the current domain is research.SECURITY.local and the Fully Qualified Domain Name (FQDN) of the Domain Controller (DC) is prod.research.SECURITY.local.

The SID of the domain is S-1-5-21-1693200156-3137632808-1858025440.

Step 3: Next, find a machine in the current domain, on which the current user i.e. student has local admin access.

Command:

Content Image

We can notice that student has admin access on the seclogs.research.SECURITY.local machine.

Step 4: Access the seclogs.research.SECURITY.local machine using the following command:

Command:

Content Image

Success!

Step 5: Check the current user privilege.

Command:

Content ImageContent Image

We have full privileges on the seclogs.research.SECURITY.local machine.

Step 6: Next, we need to setup hfs.exe (HTTP File Server) on the attacker machine to serve the PowerShell scripts (Invoke-Mimikatz.ps1 & Invoke-TokenManipulation.ps1). All these tools are inside the C:\Tools directory. Drag and drop these two PowerShell scripts to hfs.exe as shown below.

Content Image

Step 7: Now, import the Invoke-TokenManipulation.ps1 script on the target machine. We will use this script to enumerate all the available tokens.

Commands:

Content Image

We have successfully imported the script, in the memory. Now, enumerate all the available tokens:

Command:

Content Image

We can notice that research\administrator has logged into this machine.

Step 8: Next, import Invoke-Mimikatz.ps1 script on the target machine and dump NTLM hash of the logged in users.

Commands:

Content ImageContent Image

We found the NTLM hash of the domain administrator i.e. 84398159ce4d01cfe10cf34d5dae3909, which we can utilize to perform a PTH (Pass The Hash) attack.

Step 9: We need to find the computer account password hash for prod.research.SECURITY.local (DC) in order to generate the Silver ticket. So, first we will perform a PTH (Pass The Hash) attack using Mimikatz to gain domain administrator privileges in the powershell.exe shell. To perform PTH we need high privilege access on the machine, so run PowerShell as administrator and then execute the following commands:

Commands:

Content Image

We have successfully performed PTH using domain admin NTLM hash.

Step 10: Next, run the following commands to find the computer account password hash for the target machine:

Command:

Content ImageContent Image

The computer account password hash for prod.research.SECURITY.local is d5f92467d4425e5f34fb55893e8a7768.

Step 11: Switch back to the normal terminal (student) user. Now, we are all set to generate a Silver ticket. Before that, let's check if we can list the C$ share of the DC.

Command:

Content Image

We get an access denied error.

Step 12: Now, run the following commands to generate a Silver ticket:

Commands:

The parameters we specified are:

  • /domain: the FQDN of the domain

  • /sid: the SID of the domain

  • /target: the FQDN of the target server

  • /service: the target service name

  • /rc4: the NTLM/RC4 password hash

  • /user: the username to impersonate (can be fake too)

Content Image

Check the ticket:

Command:

Content Image

We have successfully generated and injected the Silver ticket, targeting the CIFS service on prod.research.SECURITY.local (DC).

Step 13: Now, let's try to list the C$ share of the DC.

Command:

Content Image

Success!

Conclusion

In this lab, we performed a Silver ticket attack targeting the CIFS service on the Domain Controller.

References

PreviousPass-the-Ticket (PtT) AttacksNextGolden Ticket Attacks

Last updated