Golden Tickets
Administrators
KRBTGT Account Password Hash - Domain Name - Domain SID - User SID (User to Impersonate)
Golden Tickets
are forged TGT's. This means that we Bypass the Request and the Response from the Ticket Granting Ticket in the Kerberos Authentication where we prove to the Domain Controller who we are.
In order to Forge a Golden Ticket, we need the KRBTGT
Account Password Hash so that we can sign a TGT for any User Account we want.
-
By Injecting at this stage of the Kerberos Process, we don't need the Password Hash of the Account we want to Impersonate since we Bypass that step. The TGT is only used to prove that the Key Distribution Centre on a DC Signed it.
-
The Key Distribution Centre will only Validate the User Account specified in the TGT if it is older than 20 Minutes. This means we can put a Disabled - Deleted - Non-Existent account in the TGT, and it will be Valid as long as we ensure the Timestamp is not older than 20 Minutes.
-
The Policies and Rules for Tickets are set in the TGT itself, we could Overwrite the values pushed by the KDC, such as, for example, that Tickets should only be valid for 10 Hours. We could, for instance, ensure that our TGT is valid for 10 Years, granting us Persistence.
-
By default, the KRBTGT Account Password never changes, meaning once we have it, unless it is Manually Rotated, we have Persistent access by generating TGT's forever.
-
The Blue Team would have to rotate the KRBTGT Account Password twice, since the current and previous Passwords are kept valid for the Account. This is to ensure that accidental Rotation of the Password does not impact Services.
-
Rotating the KRBTGT Account Password is an incredibly painful Process for the Blue Team since it will cause a significant amount of Services in the Environment to Stop Working.
-
Golden Tickets would even allow to Bypass Smart Card Authentication, since the Smart Card is verified by the Domain Controller before it creates the TGT.
-
A Golden Ticket can be generated on any Machine, even one that is not Domain-Joined (Such as our own Attack Machine), making it Harder for the Blue Team to Detect.
Silver Tickets
Password Hash of a Service Account - Domain SID - Target Hostname
Silver Tickets
are forged TGS Tickets. The Password Hash of a Service Account must be Compromised in order to execute the Attack.
-
The generated TGS is signed by the Machine Account of the Host we are Targeting.
-
The Difference between Golden Tickets and Silver Tickets is the number of Privileges we Acquire. If we have the
KRBTGT
Account Password Hash, we can get access to everything. With a Silver Ticket, since we only have access to the Password hash of the Machine Account of the Server we are Attacking, we can only Impersonate Users on that Host itself. The Silver Ticket scope is limited to whatever Service is targeted on the specific Server. -
Since the TGS is Forged, there is no associated TGT, meaning the Domain Controller was never Contacted. This makes the Attack incredibly Dangerous since the only available logs would be on the Targeted Server. So while the scope is more Limited, it is significantly Harder for the Blue Team to Detect.
-
Since Permissions are determined through SID's, we can again create a Non-Existing User for our Silver Ticket, as long as we ensure the Ticket has the relevant SID's that would place the User in the Host's Local Administrators Group.
-
The Machine Account Password is usually Rotated every 30 Days, which is bad for Persistence. However, we could leverage the access our TGS provides to gain access to the Host's Registry and Alter the parameter that is responsible for the Password Rotation of the Machine Account. Thereby ensuring the Machine Account remains Static and granting us Persistence on the Machine.
-
Machine Accounts can be used as normal AD Accounts, allowing us not only Administrative access to the Host but also the means to continue Enumerating and Exploiting AD as we would with an AD User Account.