A silver ticket is a service ticket modified to give privileges to the attacker. It requires the knowledge of the service password (See Kerberoasting); for the purposes of host persisitence, the service will be CIFS/SMB, whose principal is the machine account. For more examples on how to use a silver ticket, see Kerberos Attack: Silver Ticket Edition.
Requirements
- Needs the security identifier of the domain
- Needs a service password or password hash
Target SPN for persistence method
- psexec: HOST or CIFS
- winrm: HOST or HTTP
- dcsync (DC only): LDAP
Mimikatz
To create a silver ticket via Mimikatz (ironic that the command is called golden
):
- DOMAIN_SID is the SID of the domain
whoami /user
to get current domain user’s SID- then remove the last 5 character (
-nnnn
where n is a number)
/rc4
: encrypt the service ticket using RC4 and service NTLM password hash/ptt
: inject ticket into memory
This will create a ticket that mimics a local administrator (RID 500) in the server with several high-privileged group memberships.
Rubeus
To create a silver ticket via Rubeus:
To use a silver ticket: