Silver Ticket
Is an attack that allows attacker who has the password hash of a target service(MSSQL, CIFS, Sharepoint)
to forge Kerberos ticket-granting tickets (TGT) that will enable attacker to generate authentication material for the target service. This ticket is known as silver ticket
.
Silver tickets are more limited in scope than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.
Exploitation
To forge silver ticket, we need to get password hash of the service
using any credential access technigues. Since the password of a machine account is thesame as the password of cifs service, we will use the password hash of the domain controller to forge silver ticket of cifs service
. This will allow us to access share of the domain controller.
Let’s try to access c$
share of the domain controller
As you can see, we were not able to access it because we didn’t have required privileges. Now we will forge the silver ticket to see if we can access it.
Since we have the password hash of the domain controller (By dumping sam database)
, we will load mimikatz and forge the silver ticket for cifs service
.
We will then pass the ticket.
Now let’s try to access c$
share of the domain controller again.
Great.