Exploitation - Kerberos silver tickets
Last updated
Last updated
Service tickets are generated by the Ticket-Granting Service (TGS) of the Key Distribution Center (KDC) and used by clients to access domain resources exposed through service accounts, i.e user accounts that have a ServicePrincipalName (SPN) configured.
Service tickets are generated by the TGS upon reception of a valid Ticket-Granting Ticket (TGT) using:
One of the secrets (RC4 key, whose value is identical to the NTLM hash, or AES 128/256 bits keys) of the krbtgt account (KDC Signature).
One of the secrets of the targeted service account (Server Signature and encryption of the TGS).
However, as the service account has no knowledge of the the krbtgt account's secrets, no verification is done by default on the KDC Signature signature upon receipt and verification of the validity of a service ticket. Thus, in the majority of environment, only the knowledge of one of the secrets of the targeted service account is necessary for the generation of valid service tickets for the service (and renewals of the krbtgt's password do not invalidate the crafted service tickets).
Note that the Kerberos PAC Validation mechanism can be enabled on a service to enforce a systematic verification of the service tickets's Privilege Attribute Certificate (PAC) KDC Signature signature with a request to the KDC. As the additional verification induced by the mechanism requires an exchange between the server hosting the service and the KDC, its activation can cause significant performance degradation.
For more information on the Kerberos protocol, refer to the `ActiveDirectory
Kerberos Golden Tickets` note.
To generate a silver ticket, the following prerequisites are needed:
The fully qualified domain name and the SID of the targeted domain.
The SPN and one of the secrets of the targeted service account.
Computers services and machine account exploitation
Windows systems integrated to an Active Directory domain expose a number of services, executed under the machine account authority. These services can be leveraged to remotely access and execute commands on a machine. As such, the compromise of one of the machine account secrets can be used to generate silver tickets allowing for remote code execution.
Silver tickets for machine services can notably be used for persistence after the compromise of a machine or an Active Directory domain (as the secrets of the machine accounts of all the machines integrated to the domain are stored in the ntds.dit database). Additionally, if a machine exposes the Windows SpoolerService service, through the MS-RPRN MSRPC interface, and is configured to permit the use of NetNTLMv1 (LMCompatibilityLevel attribute set to 2 or lower), an authentication from the machine to an arbitrary host in NetNTLMv1 can be remotely triggered and further captured, to ultimately crack the NetNTLMv1 hash and retrieve the machine account NTLM hash. For more information on the attack refer to the [L7] MSRPC and [ActiveDirectory] NTLM capture and relay notes.
Different services are exposed on Windows systems integrated to an Active Directory domain and can be targeted, through their respective SPN in the form of <SERVICE_NAME>/<MACHINE_HOSTNAME>, for persistence and remote access:
| Possible operation | Service(s) | Description | Related note |
|---|---|---|---|
The HOST service for Windows machines includes a set of machine built-in Windows services, such as the HTTP, SCM and SCHEDULE services, etc.
The exhaustive list of services exposed on a Windows machine integrated to an Active Directory domain can be retrieved using the following PowerShell command:
The mimikatz utility on Windows and the Impacket's ticketer.py Python script can be used to generate silver tickets:
On Windows, silver tickets generated using mimikatz will be automatically injected in the current logon session if the /ptt option is specified. Otherwise, an exported silver ticket can be injected using mimikatz.exe "kerberos::ptt <TICKET_FILE_PATH> for example.
On Linux, silver tickets generated by ticketer.py, in the credential cache (ccache) format, can be exported in the KRB5CCNAME environment variable for further use through tools supporting the Kerberos protocol, such as others Impacket Python utilities. Note that impackets utilities can only make use of a single Kerberos tickets at a time, which limits the possible usage of the utilities with silver tickets.
Refer to the [ActiveDirectory] Kerberos tickets usage for more information on techniques and tools to leverage silver tickets.
https://2014.rmll.info/slides/80/day_3-1010-Benjamin_Delpy-Mimikatz_a_short_journey_inside_the_memory_of_the_Windows_Security_service.pdf https://adsecurity.org/?page_id=1821 TECHNIQUES DE PERSISTANCE ACTIVE DIRECTORY BASÉES SUR KERBEROS - MISC Hors-Série N°20 https://www.beneaththewaves.net/Projects/Mimikatz_20_-_Silver_Ticket_Walkthrough.html
PsExec-like
file system access
CIFS
Remote execution of commands using PsExec-like utilities or full access to the machine file system.
Windows - Lateral movements
[L7] 445 - SMB
WMI
HOST
RPCSS
Remote execution of commands through Windows Management Instrumentation (WMI) (Win32_Process class for example).
Windows - Lateral movements
WinRM
Always necessary:
HOST
HTTP
Host dependant:
WSMAN
RPCSS
PowerShell remoting through Windows Remote Management (WinRM).
Windows - Lateral movements
[L7] 5985-5968 - WSMan
Windows services
HOST
Remote creation and/or execution of Windows services.
Windows - Lateral movements
Scheduled tasks
HOST
Remote creation and/or execution of Windows scheduled tasks.
Windows - Lateral movements
DCSync
LDAP access
LDAP
LDAP requests, and notably allows, for service tickets to the LDAP service of a Domain Controller, the conduct of replication operations (DCSync).
[ActiveDirectory] ntds.dit dumping
RSAT
CIFS
LDAP
RPCSS
Use of the PowerShell cmdlets of the Windows Remote Server Administration Tools (RSAT) suite.
[ActiveDirectory] Domain Recon