Pass the Ticket

Adversaries may 'pass the ticket' using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the Ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.

In this technique, valid Kerberos tickets for Valid Accounts are captured by OS Credential Dumping. A user's service tickets or ticket granting ticket (TGT) may be obtained, depending in the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.

Silver Ticket can be obtained for services that user Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).

Golden Ticket can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.

Example

This demonstration will also cover Silver Tickets

Now on this scenario we have a share inaccessible by our domain user that we currently hold DC\Dwinchester. But we are aware of another user that can.

Jwinchester, this being since the users is part of the Data Engineers Group

And that folder has permissions for that user. We can see that our current user has no permissions to even check the

permissions itself.

Since it's a DB folder we try to search for a user that has DB permissions we already know this with Jwinchester.

John is the perfect candidate, now let's get a ticket for this account. We will use a tool to grab SPNs

And Request the Ticket

We will then export the tickets and crack them offline. Crack the ticket and convert it to an NTLM Hash for Demo purposes this is already done.

Create the Silver Ticket

And remember the share we had no access too?. We can now enumerate the files on the Share

References:

What is a Silver Ticket Attack? - Forged Service TicketsAttack Catalog

DownloadsDirectory Services Internals

How Attackers Use Kerberos Silver Tickets to Exploit SystemsActive Directory Security

PreviousT1550: Use Alternate Authentication Material NextPass the Hash

Last updated 3 years ago