Exploitation - Kerberos silver tickets
Overview
Service tickets
are generated by the Ticket-Granting Service (TGS)
of the Key Distribution Center (KDC)
and used by clients to access domain resources exposed through service accounts, i.e user accounts that have a ServicePrincipalName (SPN)
configured.
Service tickets
are generated by the TGS
upon reception of a valid Ticket-Granting Ticket (TGT)
using:
One of the secrets (
RC4 key
, whose value is identical to theNTLM
hash, orAES 128/256 bits keys
) of thekrbtgt
account (KDC Signature
).One of the secrets of the targeted service account (
Server Signature
and encryption of theTGS
).
However, as the service account has no knowledge of the the krbtgt
account's secrets, no verification is done by default on the KDC Signature
signature upon receipt and verification of the validity of a service ticket
. Thus, in the majority of environment, only the knowledge of one of the secrets of the targeted service account is necessary for the generation of valid service tickets
for the service (and renewals of the krbtgt
's password do not invalidate the crafted service tickets
).
Note that the Kerberos PAC Validation
mechanism can be enabled on a service to enforce a systematic verification of the service tickets
's Privilege Attribute Certificate (PAC)
KDC Signature
signature with a request to the KDC
. As the additional verification induced by the mechanism requires an exchange between the server hosting the service and the KDC
, its activation can cause significant performance degradation.
For more information on the Kerberos
protocol, refer to the `ActiveDirectory
Kerberos Golden Tickets` note.
To generate a silver ticket
, the following prerequisites are needed:
The fully qualified domain name and the
SID
of the targeted domain.The
SPN
and one of the secrets of the targeted service account.
Computers services and machine account exploitation
Windows systems integrated to an Active Directory domain expose a number of services, executed under the machine account authority. These services can be leveraged to remotely access and execute commands on a machine. As such, the compromise of one of the machine account secrets can be used to generate silver tickets
allowing for remote code execution.
Silver tickets
for machine services can notably be used for persistence after the compromise of a machine or an Active Directory domain (as the secrets of the machine accounts of all the machines integrated to the domain are stored in the ntds.dit
database). Additionally, if a machine exposes the Windows SpoolerService
service, through the MS-RPRN
MSRPC
interface, and is configured to permit the use of NetNTLMv1
(LMCompatibilityLevel
attribute set to 2 or lower), an authentication from the machine to an arbitrary host in NetNTLMv1
can be remotely triggered and further captured, to ultimately crack the NetNTLMv1
hash and retrieve the machine account NTLM
hash. For more information on the attack refer to the [L7] MSRPC
and [ActiveDirectory] NTLM capture and relay
notes.
Different services are exposed on Windows systems integrated to an Active Directory domain and can be targeted, through their respective SPN
in the form of <SERVICE_NAME>/<MACHINE_HOSTNAME>
, for persistence and remote access:
PsExec
-like
file system access
CIFS
Remote execution of commands using PsExec
-like utilities or full access to the machine file system.
Windows - Lateral movements
[L7] 445 - SMB
WMI
HOST
RPCSS
Remote execution of commands through Windows Management Instrumentation (WMI)
(Win32_Process
class for example).
Windows - Lateral movements
WinRM
Always necessary:
HOST
HTTP
Host dependant:
WSMAN
RPCSS
PowerShell remoting
through Windows Remote Management (WinRM)
.
Windows - Lateral movements
[L7] 5985-5968 - WSMan
Windows services
HOST
Remote creation and/or execution of Windows services.
Windows - Lateral movements
Scheduled tasks
HOST
Remote creation and/or execution of Windows scheduled tasks.
Windows - Lateral movements
DCSync
LDAP access
LDAP
LDAP
requests, and notably allows, for service tickets
to the LDAP
service of a Domain Controller
, the conduct of replication operations (DCSync
).
[ActiveDirectory] ntds.dit dumping
RSAT
CIFS
LDAP
RPCSS
Use of the PowerShell cmdlets of the Windows Remote Server Administration Tools (RSAT)
suite.
[ActiveDirectory] Domain Recon
The HOST
service for Windows machines includes a set of machine built-in Windows services, such as the HTTP
, SCM
and SCHEDULE
services, etc.
The exhaustive list of services exposed on a Windows machine integrated to an Active Directory domain can be retrieved using the following PowerShell command:
Silver tickets generation
The mimikatz
utility on Windows and the Impacket
's ticketer.py
Python script can be used to generate silver tickets
:
Silver tickets usage (Pass-the-Ticket)
On Windows, silver tickets
generated using mimikatz
will be automatically injected in the current logon session if the /ptt
option is specified. Otherwise, an exported silver ticket
can be injected using mimikatz.exe "kerberos::ptt <TICKET_FILE_PATH>
for example.
On Linux, silver tickets
generated by ticketer.py
, in the credential cache (ccache)
format, can be exported in the KRB5CCNAME
environment variable for further use through tools supporting the Kerberos
protocol, such as others Impacket
Python utilities. Note that impackets
utilities can only make use of a single Kerberos tickets
at a time, which limits the possible usage of the utilities with silver tickets
.
Refer to the [ActiveDirectory] Kerberos tickets usage
for more information on techniques and tools to leverage silver tickets
.
References
https://2014.rmll.info/slides/80/day_3-1010-Benjamin_Delpy-Mimikatz_a_short_journey_inside_the_memory_of_the_Windows_Security_service.pdf https://adsecurity.org/?page_id=1821 TECHNIQUES DE PERSISTANCE ACTIVE DIRECTORY BASÉES SUR KERBEROS - MISC Hors-Série N°20 https://www.beneaththewaves.net/Projects/Mimikatz_20_-_Silver_Ticket_Walkthrough.html
Last updated