Precious Metals: Golden and Silver Ticket Attacks



If you're in the realm of cybersecurity, you're probably already aware of the fact that most if not all processes and architectures are vulnerable to something, some more than others. In this post, we'll be diving into some Kerberos attacks that can result in undesired authentication and therefore access to restricted resources in an active directory environment.


Prerequisites to Golden and Silver Ticket Attacks

Prior to executing each of these attacks, there's information you need in order to successfully execute them. You can perceive these requirements to be "recipes," where you need certain ingredients to bake the nefarious authentication cake. In order to acquire these ingredients, Mimikatz will be your friend. Specifically, using the sekurlsa::ekeys module will provide you access to the data you need to carry on with forging tickets. Note that to utilize that module you will require elevated privileges.


This post won't dive into the initial compromise or gaining access, but will rather focus on the information needed and the how-to of golden and silver ticket attacks.


Golden Ticket Attack

In a golden ticket attack, the attacker compromises the Kerberos authentication process by forging a ticket granting ticket (TGT). In the authentication process, the TGT is an authentication token that allows the user to request additional accesses (service tickets) by way of the ticket granting service (TGS). These additional accesses are to services and resources on the active directory network.


In order to forge a TGT, the following is required:

  • The AES256 encrypted key or RC4 encrypted key for the krbtgt account (AES256 is preferred; stands out less in the logs)

  • The domain SID

  • The domain name

  • The user account being impersonated

Once that information is acquired, use Mimikatz to perform the attack:


mimikatz # kerberos::golden /User:Matryoshka /domain:atomicmatryoshka.local /sid:S-1-5-21-1234567890-0987654321-123456789 /id:500 /aes256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2 /startoffset:0 /endin:600 /renewmax:10080 /ptt

The ticket is now in memory, you can run the following command to spawn a cmd shell:

mimikatz # misc::cmd

Once the command prompt is up, you will be able to remote into and access resources you were previously unable to access.


Silver Ticket Attack

In a silver ticket attack, the attacker compromises the latter part of the Kerberos authentication process by being able to forge ticket granting service (TGS) tickets. While a golden ticket attack allows the attacker to access an unlimited number of resources across the domain, a silver ticket attack allows the attacker to access a specific service/resource on the domain.


In order to forge a TGS ticket, the following is required:

  • The domain SID

  • The domain name

  • The user account being impersonated

  • The target server

  • The target service name

  • The AES256 encrypted or RC4 encrypted hash of the machine account password

Once that information is acquired, use Mimikatz to perform the attack:


mimikatz# kerberos::golden /User:Matryoshka /domain:atomicmatryoshka.local /sid:S-1-5-21-1234567890-0987654321-123456789/aes256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2 /target:atomic-dc.atomicmatryoshka.local /service:cifs /startoffset:0 /endin:600 /renewmax:10080 /ptt

The ticket is now in memory, you can now spawn a cmd shell to access the service/resource:


mimikatz# misc::cmd

Once the command prompt is up, you can access the resource you specified in the initial portion of the attack.

90 views0 comments

Recent Posts

See All