Silver tickets


The long-term key of a service account can be used to forge a Service ticket that can later be used with Pass-the-ticket to access that service. In a Silver Ticket scenario, an attacker will forge a Service Ticket containing a PAC that features arbitrary information about the requesting user, effectively granting lots of access.


When forging tickets, before November 2021 updates, the user-id and groups-ids were useful but the username supplied was mostly useless. As of Nov. 2021 updates, if the username supplied doesn't exist in Active Directory, the ticket gets rejected. This also applies to Silver Tickets.

In order to craft a silver ticket, testers need to find the target service account's RC4 key (i.e. NT hash) or AES key (128 or 256 bits). This can be done by capturing an NTLM response (preferably NTLMv1) and cracking it, by dumping LSA secrets, by doing a DCSync, etc.

"While the scope is more limited than Golden Tickets, the required hash is easier to get and there is no communication with a DC when using them, so detection is more difficult than Golden Tickets." (

The Impacket script ticketer can create silver tickets.

# Find the domain SID -hashes 'LMhash:NThash' 'DOMAIN/DomainUser@DomainController' 0

# with an NT hash
python -nthash $NThash -domain-sid $DomainSID -domain $DOMAIN -spn $SPN $Username

# with an AES (128 or 256 bits) key
python -aesKey $AESkey -domain-sid $DomainSID -domain $DOMAIN -spn $SPN $Username

The SPN (ServicePrincipalName) set will have an impact on what services will be reachable. For instance, cifs/target.domain or host/target.domain will allow most remote dumping operations (more info on

A great, stealthier, alternative is to abuse S4U2self in order to impersonate a domain user with local admin privileges on the target machine by relying on Kerberos delegation instead of forging everything.


Last updated