I have a question regarding some issue i've been facing for almost 2 weeks now.
I'm doing a research on issuing and detecting silver tickets within a network, and in order to acheive that i've created a home lab which consist of the following:
Domain controller: 192.168.0.10 (silver.local) with (smb\cifs installed) Workstation: 192.168.0.5 kali vm: 192.168.0.3 (attacker)
I do the following, I do lateral movement from my kali vm to my workstation with psexec
(python3 psexec.py silver.local/Administrator:Password1@192.168.0.5) and i land a shell with user "nt authority\system"
then i run dir \192.168.0.10\C$ or \my-dc.silver.local\C$ i get access denied.
so with rubeus(i have sufficient privs to use it as well as mimikatz), i request a TGT with user administrator and NTLM hash of the password by running the following command:
Rubeus.exe asktgt /user:Administrator /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:silver.local /dc:my-dc.silver.local /outfile:tgt /nowrap
then a silver ticket to CIFS using the generated tgt:
Rubeus.exe asktgs /domain:silver.local /dc:my-dc /service:CIFS/my-dc.silver.local /ptt /outfile:cifs /ticket:<tgt hash>
then i run dir \192.168.0.10\c$ i also get access denied, although i used /ptt which means i injected the ticket already memory.
I spent so much debugging and reading various blogs as well as using chatgpt. But probably I have a problem with my methodology or i have a misconfiguration with something. i don't have any idea how or with which user i can test if the attack works.
few questions i asked myself:
- maybe i need a less privileged uesr in the domain to test on? but if so, how can i use rubeus then?
- which hash exactly shall i generate the ticket with? the service hash? or silver.local\administrator user's hash?
- if with the CIFS service's hash, how can i get it then?
