Silver Ticket

Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.

Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detecting more difficult.

Password hashes for target services may be obtained using OS Credential Dumping or Kerberoasting.

Example

As mentioned Silver Ticket can be dangerous in there on way since the TGS is forged and no associated to the TGT this means the DC is never contacted. Yes it's more limited to whatever service it's targeted on but that can be sufficient means to reach your goals. Since all the event logs can be spoofed and they are all sent to the targeted server and not the DC this makes it very difficult to track.

Silver Tickets are forged Kerberos Ticket Granting Services (TGS) tickets, also called services tickets. As shown in the following graphic, there is no AS-REQ / AS-REP and no TGS-REQ / TGS-REP communication with the Domain Controller. Since a Silver Ticket is a forged TGS, there is no communication with a Domain controller

Now on this scenario we have a share inaccessible by our domain user that we currently hold DC\Dwinchester. But we are aware of another user that can.

Jwinchester, this being since the users is part of the Data Engineers Group

And that folder has permissions for that user. We can see that our current user has no permissions to even check the

permissions itself.

Since it's a DB folder we try to search for a user that has DB permissions we already know this with Jwinchester.

John is the perfect candidate, now let's get a ticket for this account. We will use a tool to grab SPNs

And Request the Ticket

We will then export the tickets and crack them offline. Crack the ticket and convert it to an NTLM Hash for Demo purposes this is already done.

Create the Silver Ticket

And remember the share we had no access too?. We can now enumerate the files on the Share

References:

What is a Silver Ticket Attack? - Forged Service TicketsAttack Catalog

DownloadsDirectory Services Internals

How Attackers Use Kerberos Silver Tickets to Exploit SystemsActive Directory Security