IMPERSONATING SERVICE ACCOUNTS WITH SILVER TICKETS

Service Account Attack #3: Silver Tickets

So far in this blog series, our first post showed us how to discover Active Directory service accounts and our second post explored how to crack their passwords using Kerberoasting. Now that we have compromised at least one service account and extracted its password, this post will explore how to further exploit that account using Silver Tickets.

Silver Tickets Overview

Silver Tickets enable an attacker to create forged service tickets (TGS tickets). These tickets can provide access to the service that was compromised with a Kerberoasting attack. For example, in our Kerberoasting attack, we compromised a service account with a registered Service Principal Name (SPN) of “MSSQLSvc/jefflab-sql02.jefflab.local:1433”. Now, we can use Silver Tickets to forge TGS tickets for the Microsoft SQL service on that host. This tactic by itself may not sound very valuable since we already have compromised the account associated with that SPN and wouldn’t need to forge tickets to act on its behalf. However, Silver Tickets do offer several benefits including:

  • The attacker does not need to authenticate the account to the domain controller to obtain the forged TGS. This can be done without creating network traffic and event logs to avoid detection.

  • The forged TGS ticket can be created on behalf of any user account, even fictitious accounts. This allows the access of the service account to be exploited without risking detection that the account has been compromised, which may result in a password reset.

  • The Privileged Attribute Certificate (PAC) within the TGS ticket can also be manipulated, elevating the account’s access to that of a Domain Administrator. In most cases, the PAC is not validated against the domain controller when the TGS is provided.

In my case, I have compromised a SQL Service account, but that account does not have any access granted to the databases hosted on SQL and cannot log in interactively to the computer. In the end, there isn’t a whole lot I can easily do with this account. Silver Tickets allow me to take this account and elevate its privileges so I can use it to gain full control over all of the database hosted on the compromised SQL Server. Even better, I can do this while making it very difficult to detect.

Now that we understand what a Silver Ticket is and why an attacker may choose to use one, let’s look at how this attack is performed.

Silver Tickets: How They Work

Step 1 – Obtain Password Information for Service Account or Computer Account

In order to forge TGS tickets, we must have the NTLM password hash for either a service account running a service on a computer or the computer account itself. In the previous post, we focused on compromising a service account running the SQL service on a particular host. The benefit of using a service account is that these accounts can be compromised without any elevated domain privileges. In order to compromise a computer account’s NTLM hash, you must obtain Administrator rights to that computer. If you are able to obtain the computer NTLM hash, you can forge tickets for any service that runs as the local system account. This could include services such as Common Internet File System (CIFS), which would provide access to all files stored on the computer. Microsoft describes other services that run on Windows operating systems here.

For this post, we will continue to focus on the Microsoft SQL Server service account we have compromised.

Step 2 – Create Forged Service Tickets Using Mimikatz

Now that you have the NTLM hash of one or more service accounts, we can create Silver Tickets using Mimikatz. Some of the information we need to create this ticket includes:

  • Domain SID – This can be obtained easily by issuing the command “Whoami /User” into a command prompt and copying the SID value without the Relative ID (RID) at the end. Using Mimikatz to obtain the Domain SID with the Whoami/User command to create Silver Tickets

  • Target – This is the host, which can be copied from the SPN value. In my case, this is jefflab-sql02.jefflab.local:1433.

  • Service – This will be the name of the service that we will create tickets for. This must be a service running as the service account we compromised. We will focus on the MSSQLSvc.

  • User – This specifies the user that the ticket will be created for, and this can be any user account whatsoever, even user accounts that do not exist.

  • Groups – This is the list of groups that will be added to the PAC for the account. By default, this will include Domain Admins but you can override it with custom groups if needed.

Using Mimikatz to create Silver Tickets that enable an attacker to forge service tickets (TGS tickets)

Here is the complete command issued to create a Silver Ticket for the MSSQLSvc with Domain Admin rights as a user with the name FakeUser.

Step 3 – Pass-the-Ticket

Using a Silver Ticket to create a forged TGS ticket, which can be seen in memory by Issuing the klist command

In the above command, I specified the /ptt flag that automatically injects the fake ticket into memory. By issuing a klist command you can see I now have a forged Kerberos ticket for my FakeUser account.

Using Kerberoast and tgsrepcrack.py to crack the service account tickets and extract the clear-text password value

Now that I have that in memory, I just need a way to issue SQL commands against that target host, which will support passing through my ticket. To do that, I will use the Sqlcmd.exe utility provided by Microsoft.

You can see in the above command I am able to make a SQL connection to the target host, and it sees me as JEFFLABFakeUser. I now am connected to a SQL database with full admin rights as an account that doesn’t even exist. This makes it much harder to investigate any actions I perform and to understand how this access was compromised in the first place.

Using Silver Tickets to create forged TGS tickets for a SQL Service account and elevating its rights to the SQL database on the SQL server whose security logs track logon events as FakeUser

You can see by looking at the SQL server’s security logs that it will track logon events as FakeUser as well:

Protecting Yourself from Silver Tickets

Detecting Silver Tickets can be very difficult since this bypasses the entire TGT portion of authentication and cannot be monitored by looking at Domain Controller logs. The best way to prevent these attacks is to enforce proper security over service accounts to avoid having these accounts compromised to begin with. Monitoring for logon anomalies using local logon events, such as the one shown above, can also be effective in protecting your organization.

Here are the other blogs in the series:

Service Account Attack #1 – Discovering Service Accounts without using Privileges Read Now Service Account Attack #2 – Extracting Service Account Passwords with Kerberoasting Read Now Service Account Attack #4 – Exploiting the KRBTGT service account for Golden Tickets Read Now

PreviousSilver TicketsNextSkeleton Keys

Last updated