3 thoughts on “Impersonating Service Accounts with Silver Tickets

  1. hi great article. one question/observation from my own experiments. it appears that when you use a “fake” account the SQL server has to be configured in a particular way i.e. authenticate against a catch all AD group like Authenticated Users. Can you confirm?

    If this is not the case (like a lot of large organisations and only AD usernames are present) you have to specify a known MSSQL username.

    Once again great article and thanks for sharing

    1. Hi Mark – Glad you liked the article!

      In this approach, we are forging a TGS service ticket with a fake user name, RID, and group membership which is stored in the PAC. The name is not used for authentication, so I fake the RID to be an administrator (1103 is a domain admin in my case but 500 works), and by default, Mimikatz puts privileged groups into my PAC (513,512,520,518,519). Then when using this TGS ticket against SQL it uses the RID and group membership to evaluate and grant access. This should let you in pretty quickly, and if you need to try different access groups you can specify them with the /groups option in the Kerberos::golden command. Hope that answers your question!

  2. Hi Jeff, thank you for the reply. Yes this matches exactly what i’m seeing. Great set of articles around attacking kerberos, something I have now added to my Red Team skills 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

*