Skip to main content

kerberos silver ticket attack and detection, kerberoasting, $23$ hash crack

https://www.youtube.com/watch?v=_nJ-b1UFDVM

https://stealthbits.com/blog/impersonating-service-accounts-with-silver-tickets/#es_form_f0-n1

https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets#golden-ticket

https://adsecurity.org/?page_id=183

 

Kerberos silver ticket:

silver ticket is forged granting service ticket. after creating this ticket, AS REQ, AS REP, TGS REQ and TGS REP steps are bypassed. since a silver ticket is forged TGS so there is no need to communicate with a domain controller. 

1. ticket is valid as it is encrypted by service account's ntlm password hash. service account configured with service principal name for each server the kerberos authenticating service runs on. for example, sql server running on windows server 2016. by default sql service is running as follows which is not vulnerable.

SQL Server (MSSQLSERVER)    NT Service\MSSQLSERVER

if you want to make this vulnerable or want a AD user account should authenticate sql service via kerberos then you need to create a user account in AD. say user account name SQLUser. setting password as passw0rd so that it can be cracked easily. we want this user run sql server than the default one.

now open services.msc



now restart the service. this is still not vulnerable for any kind of attack because we have not set the SPN yet so the SQLUser does not support kerberos authentication at this moment. by setting up the SPN the domain controller known this accounts run sql service on this machine and allow kerberos authentication. 


MSSQLSvc/kerbdc1.kerb.local:1433

(machine name followed by domain name)

now SQLUser account is vulnerable. now it actually vulnerable for two things. one is for kerberoasting and another one is for silver ticket attack. 

kerberoasting attack to get the service account password:

C:\HTB\rubeus kerberoast /domain:kerb.local /creduser:kerb.local\test /credpassword:testpwd /nowrap

(we need a valid user account and that accounts password)


now we need to crack the hash of SQLUser account.


so it will now crack the password of SQLUser account which is passw0rd

so now we can create a silver ticket by bypassing kerberos 1-4 steps. silver ticket will be encrypted by this service account password and sql service who is holding the service will think everything is legitimate unless there is no PAC validation needed. but generally it does not do that because under services.msc list of services that runs as AD user as services account (just like we saw in top of this theory), does not do PAC validation. but it should do PAC validation. 

to find rc4 use the following command in rubeus: 

rubeus hash /password:passw0rd

now you should get the silver ticket after running the above command. 

use klist command in windows to view the ticket. 

run the below command for test:

sqlcmd -S kerbdc1.kerb.local (hit enter, it should let you in. then you can issue sql other query)
 

2.  now you may ask what is the main difference between these two tickets? well golden ticket is the forged TGT that is created to granting access to all the kerberos related service. and silver ticket is forged TGS which is created to target specific server that currently hosting that specific service. 

3. golden ticket is signed by krbtgt account password hash and silver ticket is signed by either service account credentials or computer account credential is being extracted from the computers local SAM database.

4. most services dont validate the PAC by sending the PAC checksum to the DC so the forged TGS generated using service account password hash can include a PAC that is entirely fictitious. even claiming the user is domain admin withour challenge or correction. 

5. the attacker only needs the service account password hash. 

6. TGS is forged so no associated with TGT that further means DC is never contacted. 

7. this attack is more dangerous than golden ticket attack. as the required hash is easy to get and DC is never contacted. so detection is also difficult. 


the following can be used to create silver ticket:

kerberos::golden /admin:LukeSkywalker /id:1106 /domain:lab.adsecurity.org /sid:S-1-5-21-1473643419-774954089-2222329127 /target:adsmswin2k8r2.lab.adsecurity.org /rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt


/User and /Admin parameter is same. 

yes kerberos::golden is correct (instead of silver)

/id: you can choose id as anything i.e. 500 Administrator RID. it does not matter because destination service account will not verify this to DC. 

/sid: in order to find domain sid, you can type whoami /all or whoami /user

/target: systemname.domainname

/rc4: hash of computer or service account password. using rubeus tool you can generate rc4 hash. rubeus hash /password:passw0rd


Detection:

check the 4624 event logs domain field. in the legit ticket there will netbios name. if you find domain field having FQDN or blank then dig deeper. because domain field should not be blank and should be domain name (not FQDN).

you can use microsoft advanced threat analytics user behavior tool. 

check account name with account RID.


Mitigation:

it is very difficult to detect silver ticket because DC is not contacted. so manage your service accounts passwords in a strong way. set strong passwords for service account so that it can not be cracked easily. and ofcourse not found in rockyou.txt file.




Comments

Post a Comment

Popular posts from this blog

Install Nessus from docker

Docker installation. Give the below commands one by one. apt install docker-cli apt install docker.io After the installation is complete, if you are inside wsl then give this command to start docker, because inside wsl systemd (systemctl) does not work: service docker start WSL troubleshooting : If the above command " service docker start " does not work then use below command: dockerd (It may not work if any previous docker process is running. It will show you pid of that process. Use this command to kill that process " kill -9 pid " and run dockerd command again) If " docker ps -a " giving error like " Cannot connect to the Docker daemon at unix:///run/podman/podman.sock. Is the docker daemon running? " This is because you may installed podman-docker package. If you remove the package still you will get this error but you should remove the package. Then issue this command: env | grep -i docker DOCKER_HOST=unix:///run/podman/podman.sock   -->...
Post a Comment
Read more

Installtion of SQLMutant tool

This tool is perfectly works on ubuntu 24 system. And I found it is not working properly in kali linux 24 version.   https://github.com/blackhatethicalhacking/SQLMutant/tree/main This tool need to use along with sqlmap tool. Showing this cheat sheet for kali or debian based system.  This tool actually analyze everything and give you the vulnerable url where sql injection is possible. You just need to use then sqlmap to exploit that.   Prerequisite: apt install pipx -y (for ubuntu) pip3 install uro or pipx install uro pipx ensurepath pipx completions  (not needed)  source ~/.bashrc   or restart system If go tool is not installed then run the below two commands first ( golang-go ) or follow this link to install go (https://mahimfiroj.blogspot.com/2024/12/installing-nuclei-in-kali.html) otherwise skip this step.   dpkg -l | grep packagename (Using this command you can check package is installed or not) apt install gccgo-go -y or apt install gol...
Post a Comment
Read more

net command cheat sheet

  To see what users present in the system: net user To see local groups in the system: net localgroup To see domain groups. This should be run on a domain controller: net group To see the details of a user along with his/her group membership: net user mahim To see who are the members of a particular group (local machine): net localgroup "administrators"    (These are not case sensitive. You can use administrators or Administrators. Both will give you same result. To see who are the members of a particular group (domain machine): net group "domain admins" Create a local user: net user localuser1 MyP@ssw0rd /add Create a domain user: net user domainuser1 MyP@ssw0rd /add /domain Add the local user to local admin group: net localgroup Administrators localuser1 /add Add the user to domain admin group: net group "Domain Admins" domainuser1 /add /domain Avi
Post a Comment
Read more