Silver Ticket
Silver ticket is signed and encrypted by the hash of service account which makes it a valid TGS ticket.
Create The Ticket
Options | |
---|---|
kerberos::golden | Name of the module |
/User:Administrator | Username for which the TGT is generated |
/domain: | Domain FQDN |
/sid: | SID of the domain |
/target: | Target server FQDN |
/service: | The SPN name of service for which TGS is to be created |
/aes256: | AES256 keys of the krbtgt account |
/id:500 /groups:512 | Optional User and Group RID |
/ptt | ptt: inject ticket to current process |
/startoffset:0 | Optional when the ticket is available in minutes. Use negative for a ticket available from past and a larger number for future. |
/endin:600 | Optional ticket lifetime in minutes. (default 10 years) The default AD setting is 10 hours = 600 minutes |
/renewmax:10080 | Optional ticket lifetime with renewal in minutes. (default is 10 years) The default AD setting is 7 days = 100800 |
Abusing Services
HOST
HOST Service permission allows to create scheduled tasks in remote computers The Silver ticket needs to be created with the NT Hash of the target machine
HOST + RPCSS
With these tickets you can execute WMI in the victim system:
Last updated