Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/documentation/modules/auxiliary/admin/kerberos/forge_ticket.md
Views: 11623
Kerberos Ticket Forging (Golden/Silver tickets)
The auxiliary/admin/kerberos/forge_ticket module allows the forging of a golden, silver, diamond or sapphire ticket.
Vulnerable Application
Any system leveraging kerberos as a means of authentication e.g. Active Directory, MSSQL
Actions
There are two kind of actions the module can run:
FORGE_SILVER - Forge a Silver ticket - forging a service ticket. [Default]
FORGE_GOLDEN - Forge a Golden ticket - forging a ticket granting ticket.
FORGE_DIAMOND - Forge a Diamond ticket - forging a ticket granting ticket by copying the PAC of another user.
FORGE_SAPPHIRE - Forge a Golden ticket - forging a ticket granting ticket by copying the PAC of a particular user, using the S4U2Self+U2U trick.
Pre-Verification steps
Obtain your targets DOMAIN via your favorite method: e.g.
nmap <TARGET_IP>Next retrieve the DOMAIN_SID: e.g.
mimikatz # sekurlsa::logonpasswordsoruse auxiliary/gather/windows_secrets_dumpFinally get the NTHASH or AES key (prefer AES key if available) of the service account you wish to target: e.g.
mimikatz # sekurlsa::logonpasswords- this output contains both NTHASH and AES keys
Module usage
Start msfconsole
Do:
use auxiliary/admin/kerberos/forge_ticketDo:
set DOMAIN DW.LOCALDo:
set DOMAIN_SID S-1-5-21-1755879683-3641577184-3486455962Do:
set NTHASH 88E4D9FABAECF3DEC18DD80905521B29Do:
set USER fake_userDo:
set USER_RID 500Do:
set SPN MSSqlSvc/dc1.dw.local:1433(Option only used for silver tickets)Do:
forge_silverto generate a silver ticket orforge_goldenfor a golden ticketUse your ticket which will have been stored as loot with your chosen target
Example usage in impacket:
Scenarios
Forge Golden ticket
Golden tickets can be used for persistence in an Active Directory environment. The forged golden ticket is actually a Ticket Granting Ticket (TGT) - which can be used to request arbitrary Service tickets. This module does not connect directly to a Key Distribution Center (KDC), it instead forges its own ticket.
Golden tickets can be forged using a stolen Kerberos krbtgt account, using a password hash in NTHASH format.
For golden ticket attacks, the following information is required:
DOMAIN- The domain, i.e.adf3.localDOMAIN_SID- This is the Security Identifier for the system, i.e.S-1-5-21-1266190811-2419310613-1856291569NTHASH- The NTHASH for the krbtgt account, i.e.767400b2c71afa35a5dca216f2389cd9USER- This username will be stored within the forged ticket, this must be a user that exists in Active DirectoryUSER_RID- The relative identifier(RID) for users will be stored within the forged ticket, i.e. Administrator accounts have a RID of500
One way of extracting the krbtgt account NTHASH is to run the auxiliary/gather/windows_secrets_dump module:
With the above information a golden ticket can be forged:
This newly created golden ticket is a ticket granting ticket which can be used to generate service tickets without a username or password. Common services include WinRM, SMB, etc.
Example using a golden ticket with Metasploit:
Not currently currently supported.
Example using a golden ticket with impacket:
If this is not working for you, there is a section dedicated to common errors below.
Forging Silver ticket
A silver ticket is similar to a golden ticket. The user will compromise the password hash for a service or computer account to forge tickets which grant persistent access to services such as SMB/LDAP/MSSQL/etc.
For silver ticket attacks the following information is required:
DOMAIN- The domain, i.e.adf3.localDOMAIN_SIDThis is the Security Identifier for the system, i.e.S-1-5-21-1266190811-2419310613-1856291569NTHASH- The NTHASH for the service or computer account, i.e.767400b2c71afa35a5dca216f2389cd9USER- This username will be stored within the forged ticket, unlike with Golden tickets - this can be a non-existent userUSER_RID- The relative identifier(RID) for users will be stored within the forged ticket, i.e. Administrator accounts have a RID of500SPN- The Service Principal name, i.e.CIFSfor SMB access, orMSSqlSvc/dc1.dw.local:1433. Other examples can be seen by runningsetspn -q */*on the target
Example Service Principal Names:
| Service Type | Server Principal Name |
|---|---|
| WMI | HOST or RPCSS |
| WinRM | HOST or HTTP |
| SMB | CIFS |
| LDAP | LDAP |
| MSSQL | MSSqlSvc |
One way of extracting the computer account NTHASH is to run the auxiliary/gather/windows_secrets_dump module:
With the above information a silver ticket for SMB can be forged for the target host:
Example using a silver ticket with impacket:
Forging Diamond ticket
A diamond ticket is just a golden ticket (thus requiring knowledge of the krbtgt hash), with an attempt to be stealthier, by:
Performing an AS-REQ request to retrieve a TGT for any user
Using the krbtgt hash to decrypt the real ticket
Setting properties of the forged PAC to mirror those in the valid TGT
Encrypting the forged ticket with the krbtgt hash
The primary requirement of a Diamond ticket is the same: knowledge of the krbtgt hash of the domain. The DOMAIN_SID property is not required, as this is retrieved from the valid TGT.
To perform the first step (retrieving the TGT), you must provide sufficient information to authenticate to the domain (i.e. RHOST, USERNAME and PASSWORD).
Forging Sapphire ticket
A sapphire ticket is similar to a Diamond ticket, in that it retrieves a real TGT, and copies data from that PAC onto the forged ticket. However, instead of using the ticket retrieved in the initial authentication, an additional step is performed to retrieve a PAC for another (presumably high-privilege) user:
Authenticating to the KDC
Using the S4U2Self and U2U extensions to request a TGS for a high-privilege user (this mirrors what the real user's PAC would look like, but the ticket is unusable in high-privilege contexts)
Decrypt this information
Setting properties of the forged PAC to mirror those in the valid TGT
Encrypting the forged ticket with the krbtgt hash
The primary requirement of a Sapphire ticket is the same as for Golden and Diamond tickets: knowledge of the krbtgt hash of the domain. The DOMAIN_SID and DOMAIN_RID properties are not required, as this is retrieved from the valid TGT.
To perform the first step (retrieving the TGT), you must provide sufficient information to authenticate to the domain (i.e. RHOST, USERNAME and PASSWORD).
Common Mistakes
Invalid hostname
Use the full hostname of the machine you are targeting, not just the domain:
Invalid SPN
SPNs must be in the format */*. If this is not identical to what Active Directory is configured with, it will not work.
Verbose Mode
If you set Verbose true you will set the module to run in a more verbose mode. This would be useful in cases where the ticket you are forging does not work as expected and in this case we print out the contents of the ticket after it's been forged similar to the inspect_ticket module with the key supplied.