A Silver Ticket is a forged Service Ticket (TGS) that allows an attacker to authenticate directly to a specific service without interacting with the domain controller. Unlike Golden Ticket attacks which target the KRBTGT account (granting full domain control)—Silver Ticket attacks exploit individual service account password hashes to access targeted services stealthily.
A Silver Ticket is forged using a service account's password hash rather than the KRBTGT hash. This enables attackers to access a specific service (such as CIFS for file shares) without needing a valid TGT from the domain controller. The attack is often more stealthy, as it bypasses the KDC and targets service authentication directly.
Objective:
Obtain the NTLM hash of a service account.
Example:
Use tools like Mimikatz to dump credentials from a compromised machine:
.\\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
(This outputs the NTLM hash for the service account.)
Process:
Use the compromised service account hash to mint a forged Ticket Granting Service (TGS) ticket.
Tool and Example Command:
With Mimikatz, using the kerberos::golden method (specifying the service account hash instead of the KRBTGT hash) along with required parameters:
/domain: Fully qualified domain name
/sid: Domain SID
/user: User to impersonate
/target: FQDN of the target server
/service: Target service name (e.g., cifs)
/rc4: NTLM/RC4 hash of the service account
(This creates and injects the forged Silver Ticket.)
Result:
The forged Silver Ticket is used to access the targeted service (e.g., file shares) without a valid TGT.
Example:
An attacker might use the forged ticket in a new cmd.exe session or via PowerShell to access sensitive resources on a file server.
Objective:
Leverage the access provided by the Silver Ticket to execute code, escalate privileges on the local system, or pivot to additional targets.