Silver Ticket
Bug bounty tip: jiandikishe kwa Intigriti, jukwaa la bug bounty la kiwango cha juu lililotengenezwa na hackers, kwa hackers! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na uanze kupata zawadi hadi $100,000!
Silver ticket
Shambulio la Silver Ticket linahusisha unyakuzi wa tiketi za huduma katika mazingira ya Active Directory (AD). Njia hii inategemea kupata hash ya NTLM ya akaunti ya huduma, kama akaunti ya kompyuta, ili kutunga tiketi ya Ticket Granting Service (TGS). Kwa tiketi hii iliyotungwa, mshambuliaji anaweza kufikia huduma maalum kwenye mtandao, akijifanya kuwa mtumiaji yeyote, kwa kawaida akilenga haki za usimamizi. Inasisitizwa kwamba kutumia funguo za AES kwa kutunga tiketi ni salama zaidi na ngumu kugundulika.
Kwa ajili ya kutunga tiketi, zana tofauti zinatumika kulingana na mfumo wa uendeshaji:
On Linux
Kwenye Windows
The CIFS service is highlighted as a common target for accessing the victim's file system, but other services like HOST and RPCSS can also be exploited for tasks and WMI queries.
Available Services
Using Rubeus you may ask for all these tickets using the parameter:
/altservice:host,RPCSS,http,wsman,cifs,ldap,krbtgt,winrm
Silver tickets Event IDs
4624: Account Logon
4634: Account Logoff
4672: Admin Logon
Abusing Service tickets
In the following examples lets imagine that the ticket is retrieved impersonating the administrator account.
CIFS
With this ticket you will be able to access the C$
and ADMIN$
folder via SMB (if they are exposed) and copy files to a part of the remote filesystem just doing something like:
You will also be able to obtain a shell inside the host or execute arbitrary commands using psexec:
HOST
With this permission you can generate scheduled tasks in remote computers and execute arbitrary commands:
HOST + RPCSS
Kwa tiketi hizi unaweza kutekeleza WMI katika mfumo wa mwathirika:
Pata maelezo zaidi kuhusu wmiexec katika ukurasa ufuatao:
HOST + WSMAN (WINRM)
Kwa ufikiaji wa winrm juu ya kompyuta unaweza kuipata na hata kupata PowerShell:
Check the following page to learn njia zaidi za kuungana na mwenyeji wa mbali kwa kutumia winrm:
Note that winrm lazima iwe hai na inasikiliza kwenye kompyuta ya mbali ili kuweza kuipata.
LDAP
With this privilege you can dump the DC database using DCSync:
Jifunze zaidi kuhusu DCSync katika ukurasa ufuatao:
Marejeo
Usanidi wa bug bounty: jiandikishe kwa Intigriti, jukwaa la bug bounty la kiwango cha juu lililotengenezwa na hackers, kwa hackers! Jiunge nasi katika https://go.intigriti.com/hacktricks leo, na anza kupata zawadi hadi $100,000!
Last updated