Active Directory series: SILVER TICKET

Introduction

In this article series, we will look into the most famous ways that can be used to attack Active Directory and achieve persistence. This article will be looking at the Silver Ticket method.

Note: Attacks discussed in this series have already been publicly disclosed on different forums. This series is for educational purposes only.

Assumption

We will assume that the target domain is already breached and now the attacker is trying to pivot from the breached machine/host to gain higher privileges.

Lab setup

Domain controller: kidulala-dc.kidulala.local

Domain user: KIDULALA/lala

Domain admin: KIDULALA/chotu

Kerberos authentication

To understand Silver Ticket, it is very important for us to understand how Kerberos authentication works. Let’s take a look.

Step 1: A user’s password is converted to an NTLM hash, and the timestamp is encrypted with this hash and sent to KDC. This step is often called AS-REQ (authentication server — request). Basically, the user is proving its identity to the ticket-granting server.

Step 2: Since the KDC has the NTLM hash of all users, it was able to decrypt the message retrieved in Step 1. After this, KDC grants a TGT (ticket-granting ticket) back to the user. This ticket is encrypted with a special user on the Domain Controller, known as krbtgt. This means that when the user receives the ticket, he cannot decrypt it, since the krbtgt hash is only on DC. This step is often called AS-REP (authentication server — response).

Step 3: In this step, the user asks for TGS (ticket-granting service); a ticket to access the actual service user is interested in. In this step, the user sends the TGT back to the KDC along with the requested TGS. This step is often called TGS-REQ (TGS request).

Step 4: In this step, KDC sends back the requested (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Security Ninja. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/ADHTM2ELbFE/