Silver Ticket
Unlike Golden Ticket where we forge TGT using krbtgt hash, Silver Ticket attack forges a TGS for a specific service without needing to pwn KDC or krbtgt. We only need the NTLM hash of service account.
Silver Ticket
In Silver Ticket attack, we forge the TGS to gain access to a service, without needing to compromise a domain controller.
We first compromise a service account by obtaining NTLM hash or Kerberos key.
Forge the TGS using Mimikatz
Use the forged TGS to authenticate to the specific service as the compromised account.
Unlike Golden Ticket that uses TGT, Silver Ticket attacks do not require any interaction with DC, making it stealthier.
Note: Golden ticket provides access to any service on any machine, where as Silver Ticket only provides access to particular service on a particular machine. Golden Ticket could last 6 months where as Silver expires in 30 days.
Windows:
Linux:
Attack in Practice:
When we have the DC/DA hash, we can create a Silver Ticket that provides access to a service of DC. Once the ticket is imported, we can get a shell as DC.
Last updated