5 thoughts on “Impersonating Service Accounts with Silver Tickets

  1. hi great article. one question/observation from my own experiments. it appears that when you use a “fake” account the SQL server has to be configured in a particular way i.e. authenticate against a catch all AD group like Authenticated Users. Can you confirm?

    If this is not the case (like a lot of large organisations and only AD usernames are present) you have to specify a known MSSQL username.

    Once again great article and thanks for sharing

    1. Hi Mark – Glad you liked the article!

      In this approach, we are forging a TGS service ticket with a fake user name, RID, and group membership which is stored in the PAC. The name is not used for authentication, so I fake the RID to be an administrator (1103 is a domain admin in my case but 500 works), and by default, Mimikatz puts privileged groups into my PAC (513,512,520,518,519). Then when using this TGS ticket against SQL it uses the RID and group membership to evaluate and grant access. This should let you in pretty quickly, and if you need to try different access groups you can specify them with the /groups option in the Kerberos::golden command. Hope that answers your question!

  2. Hi Jeff, thank you for the reply. Yes this matches exactly what i’m seeing. Great set of articles around attacking kerberos, something I have now added to my Red Team skills 🙂

  3. Hi Jeff.
    Thanks for your articles; they are awesome!
    May I ask for your sources of this knowledge? I’ve been looking for such sources for some time, but can’t seem to find them, before I came across your article.
    I’m looking forward hearing from you 🙂
    -Nicolas

    1. Hello Nicolas, I’m glad you’re enjoying the articles! The Silver Ticket information I used for this post came from a few sources. Sean Metcalf has a great comprehensive article on the Silver Ticket here and the SANS Institute has a very useful article as well here. Doing the Pass-the-Ticket and gaining access using Sqlcmd.exe came through trial and error so if you’re looking for a good way to evaluate the Silver Ticket attack and how to detect it I found that to be very effective.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.