👉 Overview
👀 What ?
Windows Silver Ticket is an attack technique used in cyber-security to exploit the service tickets in Microsoft's Kerberos implementation. It is a form of a pass-the-ticket attack, specifically targeting the Service Tickets issued by Kerberos Ticket Granting Service (TGS).
🧐 Why ?
Understanding Silver Ticket attacks is crucial for both Red Team and Blue Team professionals. For Red Team, it provides a stealthy method of gaining persistent access to network resources. For Blue Team, understanding this technique is key for developing effective detection strategies and securing the network against such threats.
⛏️ How ?
To execute a Silver Ticket attack, an attacker first needs to obtain the service account's NTLM hash. Once this is obtained, an attacker can forge a TGS for any service on the network that uses this service account for authentication. The forged TGS can then be used to access the targeted service as if they were a legitimate user.
⏳ When ?
Silver Ticket attacks have been a known threat in the cyber-security landscape since around 2014, when it was publicly discussed at the DEF CON conference.
⚙️ Technical Explanations
The Silver Ticket attack is a cybersecurity technique that manipulates the Kerberos protocol, which Microsoft uses for network authentication. This attack targets the Service Tickets provided by the Kerberos Ticket Granting Service (TGS). In a normal scenario, when a user requests access to a service, the TGS issues a Service Ticket containing the user's identity, the service's identity, and a session key for communication. The service trusts this ticket to be valid, assuming it's only issued by the TGS.
However, in a Silver Ticket attack, the attacker exploits this trust relationship. The attacker first needs to acquire the service account's NTLM (NT LAN Manager) hash. This hash is a type of cryptographic function that Microsoft employs in its security protocols. Once the attacker has this hash, they can forge a Service Ticket for any service on the network using this service account for authentication.
The key aspect is that the targeted service does not verify the authenticity of the ticket with the TGS. Instead, it operates under the assumption that any presented ticket is legitimate. Therefore, it accepts the attacker’s forged ticket as valid. This acceptance allows the attacker to impersonate any user, thus gaining their access rights to the service.
This attack method has been recognized as a cybersecurity threat since around 2014. It is particularly stealthy and provides an attacker with persistent access to network resources, making it a significant concern for network security. Understanding and detecting Silver Ticket attacks are vital for both offensive (Red Team) and defensive (Blue Team) cybersecurity professionals.
Here is a hypothetical example of how a Silver Ticket attack might be executed using the Mimikatz tool, a software commonly used in cybersecurity demonstrations:
- Obtain the service account's NTLM hash: The attacker would first need to gain access to a system where they can obtain the NTLM hash of the service account. This could be achieved through various methods such as phishing or exploiting a known vulnerability. Once they have access, they can use Mimikatz to dump the NTLM hashes from memory using the command
mimikatz # sekurlsa::logonPasswords. - Forge a Service Ticket: After obtaining the NTLM hash, the attacker can then forge a Service Ticket. Mimikatz has a feature to create a Silver Ticket. The command might look like this:
mimikatz # kerberos::golden /user:Administrator /domain:corp.example.com /sid:S-1-5-21-1234567890-123456789-1234567890 /target:server.corp.example.com /service:host /rc4:1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d /ptt. In this command, the /rc4 flag is followed by the NTLM hash of the service account, and the /ptt flag tells Mimikatz to "pass-the-ticket" to the current session. - Access the targeted service: With the forged ticket, the attacker can now access the targeted service as if they were a legitimate user. For example, if the service is a file server, they can access files that the impersonated user has permissions to view or modify.
Remember, this is a simplified example for educational purposes. In reality, the process might involve more steps and be more complex, especially considering measures put in place to prevent such attacks.