Skip to main content

kerberos silver ticket attack and detection, kerberoasting, $23$ hash crack

https://www.youtube.com/watch?v=_nJ-b1UFDVM

https://stealthbits.com/blog/impersonating-service-accounts-with-silver-tickets/#es_form_f0-n1

https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets#golden-ticket

https://adsecurity.org/?page_id=183

 

Kerberos silver ticket:

silver ticket is forged granting service ticket. after creating this ticket, AS REQ, AS REP, TGS REQ and TGS REP steps are bypassed. since a silver ticket is forged TGS so there is no need to communicate with a domain controller. 

1. ticket is valid as it is encrypted by service account's ntlm password hash. service account configured with service principal name for each server the kerberos authenticating service runs on. for example, sql server running on windows server 2016. by default sql service is running as follows which is not vulnerable.

SQL Server (MSSQLSERVER)    NT Service\MSSQLSERVER

if you want to make this vulnerable or want a AD user account should authenticate sql service via kerberos then you need to create a user account in AD. say user account name SQLUser. setting password as passw0rd so that it can be cracked easily. we want this user run sql server than the default one.

now open services.msc



now restart the service. this is still not vulnerable for any kind of attack because we have not set the SPN yet so the SQLUser does not support kerberos authentication at this moment. by setting up the SPN the domain controller known this accounts run sql service on this machine and allow kerberos authentication. 


MSSQLSvc/kerbdc1.kerb.local:1433

(machine name followed by domain name)

now SQLUser account is vulnerable. now it actually vulnerable for two things. one is for kerberoasting and another one is for silver ticket attack. 

kerberoasting attack to get the service account password:

C:\HTB\rubeus kerberoast /domain:kerb.local /creduser:kerb.local\test /credpassword:testpwd /nowrap

(we need a valid user account and that accounts password)


now we need to crack the hash of SQLUser account.


so it will now crack the password of SQLUser account which is passw0rd

so now we can create a silver ticket by bypassing kerberos 1-4 steps. silver ticket will be encrypted by this service account password and sql service who is holding the service will think everything is legitimate unless there is no PAC validation needed. but generally it does not do that because under services.msc list of services that runs as AD user as services account (just like we saw in top of this theory), does not do PAC validation. but it should do PAC validation. 

to find rc4 use the following command in rubeus: 

rubeus hash /password:passw0rd

now you should get the silver ticket after running the above command. 

use klist command in windows to view the ticket. 

run the below command for test:

sqlcmd -S kerbdc1.kerb.local (hit enter, it should let you in. then you can issue sql other query)
 

2.  now you may ask what is the main difference between these two tickets? well golden ticket is the forged TGT that is created to granting access to all the kerberos related service. and silver ticket is forged TGS which is created to target specific server that currently hosting that specific service. 

3. golden ticket is signed by krbtgt account password hash and silver ticket is signed by either service account credentials or computer account credential is being extracted from the computers local SAM database.

4. most services dont validate the PAC by sending the PAC checksum to the DC so the forged TGS generated using service account password hash can include a PAC that is entirely fictitious. even claiming the user is domain admin withour challenge or correction. 

5. the attacker only needs the service account password hash. 

6. TGS is forged so no associated with TGT that further means DC is never contacted. 

7. this attack is more dangerous than golden ticket attack. as the required hash is easy to get and DC is never contacted. so detection is also difficult. 


the following can be used to create silver ticket:

kerberos::golden /admin:LukeSkywalker /id:1106 /domain:lab.adsecurity.org /sid:S-1-5-21-1473643419-774954089-2222329127 /target:adsmswin2k8r2.lab.adsecurity.org /rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt


/User and /Admin parameter is same. 

yes kerberos::golden is correct (instead of silver)

/id: you can choose id as anything i.e. 500 Administrator RID. it does not matter because destination service account will not verify this to DC. 

/sid: in order to find domain sid, you can type whoami /all or whoami /user

/target: systemname.domainname

/rc4: hash of computer or service account password. using rubeus tool you can generate rc4 hash. rubeus hash /password:passw0rd


Detection:

check the 4624 event logs domain field. in the legit ticket there will netbios name. if you find domain field having FQDN or blank then dig deeper. because domain field should not be blank and should be domain name (not FQDN).

you can use microsoft advanced threat analytics user behavior tool. 

check account name with account RID.


Mitigation:

it is very difficult to detect silver ticket because DC is not contacted. so manage your service accounts passwords in a strong way. set strong passwords for service account so that it can not be cracked easily. and ofcourse not found in rockyou.txt file.




Comments

Post a Comment

Popular posts from this blog

API hacking lab setup

 Follow the commands to install and configure API hacking lab: 1. Install kali linux and update all the packages.  apt update -y apt upgrade -y or apt dist-upgrade -y or apt full-upgrade -y If you face any problem regarding update, install cloud flare warp in the host machine, then again start updating packages in your kali vm.  2. Install and configure burpsuite professional.  After that open burpsuite and go to Extensions tab. Click on BAppStore. Search for Autorize extension, It will help us to automate authorization testing. Click on Download Jython from the right side. From Jython website click on Jython standalone JAR and save it. Go to Extensios > Extensions settings >  under Core extension settings find out Python environment on the right pane. Select the jython jar file that you just downloaded. Now again go to BAppStore and re-search for Autorize extension. You will see Install option this time after selecting Autorize extension. Install it. You ...
Post a Comment
Read more

Install Nessus from docker

Docker installation. Give the below commands one by one. apt install docker-cli or apt install docker.io After the installation is complete, if you are inside wsl then give this command to start docker, because inside wsl systemd (systemctl) does not work: service docker start WSL troubleshooting : If the above command " service docker start " does not work then use below command: dockerd (It may not work if any previous docker process is running. It will show you pid of that process. Use this command to kill that process " kill -9 pid " and run dockerd command again) If " docker ps -a " giving error like " Cannot connect to the Docker daemon at unix:///run/podman/podman.sock. Is the docker daemon running? " This is because you may installed podman-docker package. If you remove the package still you will get this error but you should remove the package. Then issue this command: env | grep -i docker DOCKER_HOST=unix:///run/podman/podman.sock   --...
Post a Comment
Read more

Installing kansa incident response tool

 Kansa is an IR framework. https://github.com/davehull/Kansa For enterprise data collection, you need to do this first from the admin system: Set-NetConnectionProfile -NetworkCategory Private (In private network) Enable-PSRemoting  from powershell on the system where you want to run this tool. This will enable winrm service with port 5985 and 5986. Check: netstat -naob | findstr "5985"   Also allow tcp port 5985 and 5986 for winrm through the network. You can use  GPO. Though winrm is communicating over http and https but authentication will be happened using kerberos in domain environment.  After downloading it  from the github and unzip it, you need to unlock it using powershell. Need powershell v3 or later. ls -r *.ps1 | Unblock-File Powershell policy bypass: Set-ExecutionPolicy AllSigned | RemoteSigned | Unrestricted From FOR508 course: .\kansa.ps1 -OutputPath .\Output\ -TargetList .\hostlist -TargetCount 250 -Verbose -Pushbin -Pushbin is requir...
Post a Comment
Read more