Pass the Ticket
In overpass the hash we got the TGT and then used it for authenticating using kerberos. The only drawback is that it can be used only from the machine that it was generated. Also, If the service account that we target is not an administrative account then the previous 2 methods don't work
Pass the ticket uses TGS so that once the ticket is generated it can be exported and used from any other machine. This provides the following advantages,
No administrative privileges are required, if the service ticket belongs to the current user
We can choose the machine from which machine to use the ticket from
In the "Creating & Cracking TGS" section we got our hands on the password to the Service Account. With this we can craft our own ticket with the necessary permissions that we desire, so this is called the silver ticket.
The point of this exercise is we can access any resource that this service account has access to.
We also need the Security Identifier (SID) of the domain to create the ticket,
The output will be somthing like this,
S-1-5-21-1602875587-2787523311-2599479668-1103
and the highlighted text is the identifier.
Once within mimikatz execute the following command,
rc4 - The password hash of the service. Plain password cannot be used and the hash has to be calculated to be used with this command.
The following command can be used to generate NTLM from password,
Last updated