Service Account Attack #3: Silver Tickets
So far in this blog series, our first post showed us how to discover Active Directory service accounts and our second post explored how to crack their passwords using Kerberoasting. Now that we have compromised at least one service account and extracted its password, this post will explore how to further exploit that account using Silver Tickets.
Silver Tickets Overview
Silver Tickets enable an attacker to create forged service tickets (TGS tickets). These tickets can provide access to the service that was compromised with a Kerberoasting attack. For example, in our Kerberoasting attack, we compromised a service account with a registered Service Principal Name (SPN) of “MSSQLSvc/jefflab-sql02.jefflab.local:1433”. Now, we can use Silver Tickets to forge TGS tickets for the Microsoft SQL service on that host. This tactic by itself may not sound very valuable since we already have compromised the account associated with that SPN and wouldn’t need to forge tickets to act on its behalf. However, Silver Tickets do offer several benefits including:
- The attacker does not need to authenticate the account to the domain controller to obtain the forged TGS. This can be done without creating network traffic and event logs to avoid detection.
- The forged TGS ticket can be created on behalf of any user account, even fictitious accounts. This allows the access of the service account to be exploited without risking detection that the account has been compromised, which may result in a password reset.
- The Privileged Access Certificate (PAC) within the TGS ticket can also be manipulated, elevating the account’s access to that of a Domain Administrator. In most cases, the PAC is not validated against the domain controller when the TGS is provided.
In my case, I have compromised a SQL Service account, but that account does not have any access granted to the databases hosted on SQL and cannot log in interactively to the computer. In the end, there isn’t a whole lot I can easily do with this account. Silver Tickets allow me to take this account and elevate its privileges so I can use it to gain full control over all of the database hosted on the compromised SQL Server. Even better, I can do this while making it very difficult to detect.
Now that we understand what a Silver Ticket is and why an attacker may choose to use one, let’s look at how this attack is performed.
Silver Tickets: How They Work
Step 1 – Obtain Password Information for Service Account or Computer Account
In order to forge TGS tickets, we must have the NTLM password hash for either a service account running a service on a computer or the computer account itself. In the previous post, we focused on compromising a service account running the SQL service on a particular host. The benefit of using a service account is that these accounts can be compromised without any elevated domain privileges. In order to compromise a computer account’s NTLM hash, you must obtain Administrator rights to that computer. If you are able to obtain the computer NTLM hash, you can forge tickets for any service that runs as the local system account. This could include services such as Common Internet File System (CIFS), which would provide access to all files stored on the computer. Microsoft describes other services that run on Windows operating systems here.
For this post, we will continue to focus on the Microsoft SQL Server service account we have compromised.
Step 2 – Create Forged Service Tickets Using Mimikatz
Now that you have the NTLM hash of one or more service accounts, we can create Silver Tickets using Mimikatz. Some of the information we need to create this ticket includes:
- Domain SID – This can be obtained easily by issuing the command “Whoami /User” into a command prompt and copying the SID value without the Relative ID (RID) at the end.
- Target – This is the host, which can be copied from the SPN value. In my case, this is jefflab-sql02.jefflab.local:1433.
- Service – This will be the name of the service that we will create tickets for. This must be a service running as the service account we compromised. We will focus on the MSSQLSvc.
- User – This specifies the user that the ticket will be created for, and this can be any user account whatsoever, even user accounts that do not exist.
- Groups – This is the list of groups that will be added to the PAC for the account. By default, this will include Domain Admins but you can override it with custom groups if needed.
Here is the complete command issued to create a Silver Ticket for the MSSQLSvc with Domain Admin rights as a user with the name FakeUser.
Step 3 – Pass-the-Ticket
In the above command, I specified the /ptt flag that automatically injects the fake ticket into memory. By issuing a klist command you can see I now have a forged Kerberos ticket for my FakeUser account.
Now that I have that in memory, I just need a way to issue SQL commands against that target host, which will support passing through my ticket. To do that, I will use the Sqlcmd.exe utility provided by Microsoft.
You can see in the above command I am able to make a SQL connection to the target host, and it sees me as JEFFLAB\FakeUser. I now am connected to a SQL database with full admin rights as an account that doesn’t even exist. This makes it much harder to investigate any actions I perform and to understand how this access was compromised in the first place.
You can see by looking at the SQL server’s security logs that it will track logon events as FakeUser as well:
Protecting Yourself from Silver Tickets
Detecting Silver Tickets can be very difficult since this bypasses the entire TGT portion of authentication and cannot be monitored by looking at Domain Controller logs. The best way to prevent these attacks is to enforce proper security over service accounts to avoid having these accounts compromised to begin with. Monitoring for logon anomalies using local logon events, such as the one shown above, can also be effective in protecting your organization.
Here are the other blogs in the series:
Service Account Attack #1 – Discovering Service Accounts without using Privileges Read Now
Service Account Attack #2 – Extracting Service Account Passwords with Kerberoasting Read Now
Service Account Attack #4 – Exploiting the KRBTGT service account for Golden Tickets Read Now
To watch the Service Account Attacks webinar, please click here.
Jeff Warren is STEALTHbits’ Vice President of Product Management. Jeff has held multiple roles within the Product Management group since joining the organization in 2010, initially building STEALTHbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining STEALTHbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering STEALTHbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.