/ AD - Bonus Content, Uncategorized / By

GOLDEN TICKET ATTACK

A Golden Ticket is a forged Kerberos Ticket Granting Ticket (TGT) that allows you to impersonate any user in the domain, including Domain Admins — and it’s based on stealing the KRBTGT account’s NTLM hash.

Think of the KRBTGT hash as the master key to the entire Kerberos kingdom. If you steal it, you forge your own passport and cross any border in the AD forest.

Why Is It So Powerful?

  • It’s valid across the entire domain.
  • You can impersonate any user, including Domain Admins or Enterprise Admins.
  • You don’t even need to contact the Domain Controller after forging the ticket.
  • Can be stealthy, because logs won’t show standard authentication.

Prerequisites for a Golden Ticket Attack

  1. Domain compromise: You must have admin or SYSTEM rights on a Domain Controller (or access to a memory dump of one).
  2. Extract the KRBTGT account NTLM hash.
  3. Have the SID of the domain (you’ll use this in the ticket).
  4. Forge a TGT with Mimikatz or Rubeus.

Step-by-Step: Golden Ticket Attack

1. Compromise a Domain Controller

Gain SYSTEM access via any means (RDP, remote code exec, etc.)

2. Dump the KRBTGT hash

With Mimikatz:

lsadump::lsa /inject

You’ll see:

Username: krbtgt
Hash NTLM: 88bca90e50a6e8...

3. Gather domain info

  • Domain name: security.local
  • Domain SID: S-1-5-21-... (you can get this via Mimikatz or whoami /user)
  • Username to impersonate: Administrator

4. Forge the Golden Ticket

kerberos::golden /user:Administrator /domain:security.local /sid:S-1-5-21-... /krbtgt:<NTLM HASH> /id:500

Mimikatz will generate a TGT and inject it into memory.

5. Use the Golden Ticket

Now you have a valid TGT as Administrator. You can access:

  • File shares
  • Remote shells
  • DC replication via DCSync
  • Admin consoles
  • Anything your forged user can access

SILVER TICKET ATTACK

A Silver Ticket is a forged Service Ticket (TGS) for a specific service (like CIFS, HTTP, MSSQL), but unlike the Golden Ticket, it doesn’t require the KRBTGT hash — just the service account hash.

Instead of forging a passport, you’re forging just one entry visa — valid only for one destination, like \SQLServer\C$.

Why Use a Silver Ticket?

  • Can be more stealthy than Golden Tickets — you don’t talk to the KDC (Domain Controller).
  • Easier to obtain: only need a service account’s NTLM hash (e.g., for MSSQLSvc, HTTP, etc.).
  • Used in Kerberoasting follow-ups.

Prerequisites for a Silver Ticket Attack

  1. Dump the NTLM hash of a service account (via Kerberoasting or LSASS dump).
  2. Know the SPN (Service Principal Name), e.g., HTTP/webserver.security.local.
  3. Know the domain SID and domain name.
  4. Use Mimikatz or Rubeus to forge a TGS ticket.

Step-by-Step: Silver Ticket Attack

1. Get Service Account Hash

Let’s say you cracked a Kerberoasted service account svcSQL with this SPN:

MSSQLSvc/sqlserver.security.local:1433

You now have the NT hash of svcSQL.

2. Forge Silver Ticket with Mimikatz:

kerberos::silver /domain:security.local /sid:S-1-5-21-... /target:sqlserver.security.local /service:MSSQLSvc /rc4:<NTLM HASH> /user:svcSQL

3. Inject and Use

Once injected, Windows treats your forged TGS as legit. You can now:

  • Connect to SQL
  • Mount file shares
  • Execute code over SMB

The domain controller is not involved at this stage. The app server just trusts the TGS.

Limitations of Silver Tickets

  • Only works against the targeted service, not the whole domain.
  • If the service validates TGS with the KDC (rare, but possible), it could fail.
  • Easier to detect via service-specific logs or abnormal ticket lifetimes.

Golden vs Silver Ticket Comparison

FeatureGolden TicketSilver Ticket
Forged Ticket TypeTGT (Ticket Granting Ticket)TGS (Service Ticket)
Requires DC Hash?Yes (krbtgt)No, just service account hash
ScopeFull domain access (impersonation)Single service on a single host
StealthHigh (if done right)Even stealthier (no KDC contact)
Detection DifficultyHighHard (but logs on service may catch)
Useful ForDomain dominance, DCSync, persistencePost-Kerberoasting or service attacks

When to Use These Attacks

ScenarioAttack to Use
Full domain compromiseGolden Ticket
Only have a cracked service accountSilver Ticket
Need stealthy access to SQL/FileSrvSilver Ticket
Persistence after initial RCEGolden or Silver

Tools Used for Ticket Forging

  • Mimikatz: The OG weapon. kerberos::golden and kerberos::silver
  • Rubeus: Modern .NET tool — great for OPSEC and automation.
    • Use /ticket or /ptt to inject forged tickets
  • Impacket’s ticketer.py: For Python-based Golden Ticket forging: ticketer.py -nthash <krbtgt_hash> -domain-sid <SID> -domain security.local Administrator

Final Thoughts

  • A Golden Ticket gives you god-mode in a domain.
  • A Silver Ticket gives you stealthy access to specific services.
  • Both are post-exploitation attacks — they require prior access.
  • Mastering these means understanding Kerberos inside out.

Related Posts

Scroll to Top