Kerberos Silver/Golden/Diamond/Sapphire Ticket Forging
Description
This module forges a Kerberos ticket. Four different techniques can be used: - Silver ticket: Using a service account hash, craft a ticket impersonating any user and privileges to that account. - Golden ticket: Using the krbtgt hash, craft a ticket impersonating any user and privileges. - Diamond ticket: Authenticate to the domain controller, and using the krbtgt hash, copy the PAC from the authenticated user to a forged ticket. - Sapphire ticket: Use the S4U2Self+U2U trick to retrieve the PAC of another user, then use the krbtgt hash to craft a forged ticket.
Author(s)
- Benjamin Delpy
- Dean Welch
- alanfoster
- smashery
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use auxiliary/admin/kerberos/forge_ticket
msf auxiliary(forge_ticket) > show actions
...actions...
msf auxiliary(forge_ticket) > set ACTION < action-name >
msf auxiliary(forge_ticket) > show options
...show and set options...
msf auxiliary(forge_ticket) > run 
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security