Silver Ticket Attack

A Silver Ticket is a forged Kerberos service ticket (TGS) that allows an attacker to authenticate to a specific service on a target machine without needing to interact with the Domain Controller.

It's stealthier than a Golden Ticket because it only affects one service instead of the whole domain.

🛠️ How Silver Tickets Work

1. Understand Kerberos Authentication

   • Normally, a user requests a Ticket Granting Ticket (TGT) from the Domain Controller (KDC).
   • With a valid TGT, the user can request a Service Ticket (TGS) to access specific services like CIFS (file sharing) or HTTP (web apps).
   • The Domain Controller encrypts this TGS with the service account's NTLM hash.

2. Silver Ticket Exploit

   • Instead of compromising a Domain Controller, you only need to steal the NTLM hash of a service account (like an MSSQL or CIFS account).
   • With this hash, you can forge a TGS for that service.
   • Since the Domain Controller is not involved, it won’t log the attack (making it stealthy).

🛠️ How to Perform a Silver Ticket Attack

1️⃣ Get the NTLM Hash of the Service Account

• You can extract NTLM hashes using Mimikatz, SecretsDump, or other tools.
• Example: If you dump the krbtgt account, use a Golden Ticket instead.
• But for a Silver Ticket, you need the NTLM hash of a specific service account (e.g., MSSQLSvc, CIFS, etc.).

2️⃣ Generate the Silver Ticket

• Use Mimikatz to craft a Silver Ticket:

mimikatz.exe
sekurlsa::pth /user:Administrator /domain:MARVEL.local /ntlm:<service_account_ntlm> /run:cmd.exe

OR

kerberos::golden /domain:MARVEL.local /sid:S-1-5-21-xxxxxxx /target:THEPUNISHER /service:cifs /rc4:<service_account_ntlm> /user:tstark /id:500 /ptt