Silver tickets
Theory
The long-term key of a service account can be used to forge a Service ticket that can later be used with Pass-the-ticket to access that service. In a Silver Ticket scenario, an attacker will forge a Service Ticket containing a PAC that features arbitrary information about the requesting user, effectively granting lots of access.
Practice
When forging tickets, before November 2021 updates, the user-id
and groups-ids
were useful but the username
supplied was mostly useless. As of Nov. 2021 updates, if the username
supplied doesn't exist in Active Directory, the ticket gets rejected. This also applies to Silver Tickets.
In order to craft a silver ticket, testers need to find the target service account's RC4 key (i.e. NT hash) or AES key (128 or 256 bits). This can be done by capturing an NTLM response (preferably NTLMv1) and cracking it, by dumping LSA secrets, by doing a DCSync, etc.
"While the scope is more limited than Golden Tickets, the required hash is easier to get and there is no communication with a DC when using them, so detection is more difficult than Golden Tickets." (adsecurity.org)
The Impacket script ticketer can create silver tickets.
# Find the domain SID
lookupsid.py -hashes 'LMhash:NThash' 'DOMAIN/DomainUser@DomainController' 0
# with an NT hash
python ticketer.py -nthash "$NT_HASH" -domain-sid "$DomainSID" -domain "$DOMAIN" -spn "$SPN" "username"
# with an AES (128 or 256 bits) key
python ticketer.py -aesKey "$AESkey" -domain-sid "$DomainSID" -domain "$DOMAIN" -spn "$SPN" "username"
The SPN (ServicePrincipalName) set will have an impact on what services will be reachable. For instance, cifs/target.domain
or host/target.domain
will allow most remote dumping operations (more info on adsecurity.org).
A great, stealthier, alternative to silver ticket is to abuse S4U2self in order to impersonate a domain user with local admin privileges on the target machine by relying on Kerberos delegation instead of forging everything.