A Silver Ticket attack is a post-exploitation technique involving the forgery of Kerberos Ticket-Granting Service (TGS) tickets. Unlike a Golden Ticket, which requires the domain's KRBTGT hash to create a Ticket-Granting Ticket (TGT) for unrestricted domain access, a Silver Ticket targets specific …A Silver Ticket attack is a post-exploitation technique involving the forgery of Kerberos Ticket-Granting Service (TGS) tickets. Unlike a Golden Ticket, which requires the domain's KRBTGT hash to create a Ticket-Granting Ticket (TGT) for unrestricted domain access, a Silver Ticket targets specific services (such as MSSQL, CIFS, or HTTP) hosted on a specific server.
To execute this attack within a CompTIA PenTest+ scenario, a tester must obtain the NTLM hash of the service account running the target service. This hash is typically obtained via credential dumping or Kerberoasting. Using tools like Mimikatz, the attacker uses this hash to sign a forged TGS ticket. Because the service account validates the ticket using its own password hash, the attacker can define the user, groups, and privileges (e.g., Local Administrator) within the ticket arbitrarily.
A defining characteristic of the Silver Ticket is its stealth. The forgery process happens locally and bypasses the Domain Controller (DC) entirely. Consequently, no TGS-REQ or TGS-REP traffic occurs involving the DC, meaning no authentication logs are generated on the DC regarding this access. This makes the attack difficult to detect with standard centralized logging. The attack provides persistence and lateral movement capabilities limited to the specific service and host associated with the compromised account hash.
Silver Ticket Attacks: Comprehensive Guide for CompTIA PenTest+
What is a Silver Ticket Attack? A Silver Ticket attack is a post-exploitation vulnerability involving the forgery of a Kerberos Ticket Granting Service (TGS) ticket. Unlike a Golden Ticket, which allows an attacker to create a Ticket Granting Ticket (TGT) for domain-wide access, a Silver Ticket enables an attacker to forge a ticket for a specific service (such as MSSQL, CIFS/File Share, HTTP, or WMI) on a specific host.
Why is it Important? Silver Tickets are critical for persistence and stealth. Because the TGS is encrypted with the specific service account's password hash, the attacker does not need to communicate with the Domain Controller (KDC) to validate the ticket. This means the attack generates very little network traffic and often bypasses logs on the Domain Controller, making it harder to detect than standard authentication attempts.
How it Works 1. Compromise: The attacker gains local administrator access to a target server. 2. Credential Dumping: The attacker extracts the NTLM hash (RC4) or AES keys of the machine account or the service account running a specific application (using tools like Mimikatz). 3. Forgery: The attacker uses the extracted service hash to forge a TGS ticket offline. This ticket can claim any user identity (including Domain Admin) but is valid only for the scope of that specific service. 4. Presentation: The attacker presents the forged ticket directly to the target service to gain access.
Exam Tips: Answering Questions on Silver Ticket Attacks To correctly answer PenTest+ questions regarding this topic, focus on the differences between Silver and Golden tickets:
1. Identify the Hash: If the question mentions extracting the Service Account Hash or Computer Account Hash, the answer is Silver Ticket. If the question mentions the KRBTGT hash, the answer is Golden Ticket.
2. Identify the Scope: If the attacker gains access only to a specific resource (like a database or file share) rather than the whole domain, it is a Silver Ticket.
3. Interaction with KDC: If the scenario highlights that the attacker did not contact the Domain Controller (KDC) to obtain the ticket, or that the attack was performed 'offline' relative to the DC, identify it as a Silver Ticket.