<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Silver Ticket on LEIKAH</title><link>https://leikah.haoyingcao.xyz/en/tags/silver-ticket/</link><description>Recent content in Silver Ticket on LEIKAH</description><generator>Hugo</generator><language>en</language><atom:link href="https://leikah.haoyingcao.xyz/en/tags/silver-ticket/index.xml" rel="self" type="application/rss+xml"/><item><title>Silver Ticket</title><link>https://leikah.haoyingcao.xyz/en/docs/active_directory/movement/kerberos/silver_ticket/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://leikah.haoyingcao.xyz/en/docs/active_directory/movement/kerberos/silver_ticket/</guid><description>&lt;h2 id="theory"&gt;Theory&lt;a class="td-heading-self-link" href="#theory" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;Service Tickets (ST)&lt;/strong&gt; are encrypted with a password-derived key of the service account associated with the &lt;strong&gt;service principal&lt;/strong&gt;. If the password of the service account is known to the attacker, e.g. after a successful Kerberoasting, the attacker can derive the key from the password and craft their own service tickets to authenticate as &lt;strong&gt;any user&lt;/strong&gt; to the compromised service principal.&lt;/p&gt;
&lt;h2 id="linux-perspective"&gt;Linux Perspective&lt;a class="td-heading-self-link" href="#linux-perspective" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;We may use &lt;code&gt;ticketer.py&lt;/code&gt; from the Impacket suite to craft a silver ticket as any valid domain user.&lt;/p&gt;</description></item></channel></rss>