Skip to main content

kerberos silver ticket attack and detection, kerberoasting, $23$ hash crack

https://www.youtube.com/watch?v=_nJ-b1UFDVM

https://stealthbits.com/blog/impersonating-service-accounts-with-silver-tickets/#es_form_f0-n1

https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets#golden-ticket

https://adsecurity.org/?page_id=183

 

Kerberos silver ticket:

silver ticket is forged granting service ticket. after creating this ticket, AS REQ, AS REP, TGS REQ and TGS REP steps are bypassed. since a silver ticket is forged TGS so there is no need to communicate with a domain controller. 

1. ticket is valid as it is encrypted by service account's ntlm password hash. service account configured with service principal name for each server the kerberos authenticating service runs on. for example, sql server running on windows server 2016. by default sql service is running as follows which is not vulnerable.

SQL Server (MSSQLSERVER)    NT Service\MSSQLSERVER

if you want to make this vulnerable or want a AD user account should authenticate sql service via kerberos then you need to create a user account in AD. say user account name SQLUser. setting password as passw0rd so that it can be cracked easily. we want this user run sql server than the default one.

now open services.msc



now restart the service. this is still not vulnerable for any kind of attack because we have not set the SPN yet so the SQLUser does not support kerberos authentication at this moment. by setting up the SPN the domain controller known this accounts run sql service on this machine and allow kerberos authentication. 


MSSQLSvc/kerbdc1.kerb.local:1433

(machine name followed by domain name)

now SQLUser account is vulnerable. now it actually vulnerable for two things. one is for kerberoasting and another one is for silver ticket attack. 

kerberoasting attack to get the service account password:

C:\HTB\rubeus kerberoast /domain:kerb.local /creduser:kerb.local\test /credpassword:testpwd /nowrap

(we need a valid user account and that accounts password)


now we need to crack the hash of SQLUser account.


so it will now crack the password of SQLUser account which is passw0rd

so now we can create a silver ticket by bypassing kerberos 1-4 steps. silver ticket will be encrypted by this service account password and sql service who is holding the service will think everything is legitimate unless there is no PAC validation needed. but generally it does not do that because under services.msc list of services that runs as AD user as services account (just like we saw in top of this theory), does not do PAC validation. but it should do PAC validation. 

to find rc4 use the following command in rubeus: 

rubeus hash /password:passw0rd

now you should get the silver ticket after running the above command. 

use klist command in windows to view the ticket. 

run the below command for test:

sqlcmd -S kerbdc1.kerb.local (hit enter, it should let you in. then you can issue sql other query)
 

2.  now you may ask what is the main difference between these two tickets? well golden ticket is the forged TGT that is created to granting access to all the kerberos related service. and silver ticket is forged TGS which is created to target specific server that currently hosting that specific service. 

3. golden ticket is signed by krbtgt account password hash and silver ticket is signed by either service account credentials or computer account credential is being extracted from the computers local SAM database.

4. most services dont validate the PAC by sending the PAC checksum to the DC so the forged TGS generated using service account password hash can include a PAC that is entirely fictitious. even claiming the user is domain admin withour challenge or correction. 

5. the attacker only needs the service account password hash. 

6. TGS is forged so no associated with TGT that further means DC is never contacted. 

7. this attack is more dangerous than golden ticket attack. as the required hash is easy to get and DC is never contacted. so detection is also difficult. 


the following can be used to create silver ticket:

kerberos::golden /admin:LukeSkywalker /id:1106 /domain:lab.adsecurity.org /sid:S-1-5-21-1473643419-774954089-2222329127 /target:adsmswin2k8r2.lab.adsecurity.org /rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt


/User and /Admin parameter is same. 

yes kerberos::golden is correct (instead of silver)

/id: you can choose id as anything i.e. 500 Administrator RID. it does not matter because destination service account will not verify this to DC. 

/sid: in order to find domain sid, you can type whoami /all or whoami /user

/target: systemname.domainname

/rc4: hash of computer or service account password. using rubeus tool you can generate rc4 hash. rubeus hash /password:passw0rd


Detection:

check the 4624 event logs domain field. in the legit ticket there will netbios name. if you find domain field having FQDN or blank then dig deeper. because domain field should not be blank and should be domain name (not FQDN).

you can use microsoft advanced threat analytics user behavior tool. 

check account name with account RID.


Mitigation:

it is very difficult to detect silver ticket because DC is not contacted. so manage your service accounts passwords in a strong way. set strong passwords for service account so that it can not be cracked easily. and ofcourse not found in rockyou.txt file.




Comments

Popular posts from this blog

Install Nessus from docker

The below two commands you need to run first one by one:  docker run -itd --name=ramisec_nessus -p 8834:8834 ramisec/nessus docker exec -it ramisec_nessus /bin/bash /nessus/update.sh Username: admin And you need to change the password: #Enter the command line of the docker container docker exec -it ramisec_nessus bash #Execute the following commands in sequence # Enter this directory cd /opt/nessus/sbin # List logged in users ./nessuscli lsuser # Modify the password of the specified user (take admin as an example) ./nessuscli chpasswd admin After access to the nessus, make sure you turn off the automatic updates otherwise crack will not work after some time. Before any scan you need to run the update.sh command (shown above) to have the latest plugins. Now everytime your system reboots, your docker instance will be shutdown. You need to up it again manually. Here are the commands.  1. docker ps -a    Now note down the container id. 2. docker start <container id> C

net command cheat sheet

  To see what users present in the system: net user To see local groups in the system: net localgroup To see domain groups. This should be run on a domain controller: net group To see the details of a user along with his/her group membership: net user mahim To see who are the members of a particular group (local machine): net localgroup "administrators"    (These are not case sensitive. You can use administrators or Administrators. Both will give you same result. To see who are the members of a particular group (domain machine): net group "domain admins" Create a local user: net user localuser1 MyP@ssw0rd /add Create a domain user: net user domainuser1 MyP@ssw0rd /add /domain Add the local user to local admin group: net localgroup Administrators localuser1 /add Add the user to domain admin group: net group "Domain Admins" domainuser1 /add /domain Avi