Silver Tickets: Forging VIP Access Pass

Aegiron 11 mins0

What is a Silver Ticket?

A Silver Ticket is a forged Kerberos ticket that an attacker creates to gain unauthorized access to a specific service (like a file server, database, or web application) without needing to go through the normal authentication process.

In simple terms, it’s like forging a VIP pass to a private event. Instead of going through security and checking in like everyone else, you make your own fake pass that lets you in. The catch is, this fake pass (Silver Ticket) only works for a specific service (e.g., the email server or database) and doesn’t give you access to everything on the network.

Why is a Silver Ticket Dangerous?

  1. Bypass Normal Authentication:
    • A Silver Ticket allows the attacker to bypass normal authentication, meaning they don’t need to ask for permission or go through the KDC (Key Distribution Center), the system responsible for authenticating users. This makes the attack harder to spot.
  2. Access to Specific Services:
    • The attacker can create a Silver Ticket for a service like SQL Server or Exchange Server, even if they don’t have the original credentials or TGT (Ticket Granting Ticket).
  3. Impersonating Legitimate Users:
    • By forging a Silver Ticket, the attacker can impersonate a legitimate user (for example, a service account) and access sensitive services without being detected by traditional security methods.
  4. Can Be Used for Lateral Movement:
    • Once inside the system, the attacker can use the Silver Ticket to move around or escalate their privileges on other services.

How Does a Silver Ticket Work?

Steps to Create and Use a Silver Ticket:

  1. Obtain a Service Account Password:
    • First, the attacker needs to compromise or crack the password of a service account. This can be done using methods like Kerberoasting (which we discussed earlier) or other means like stealing the credentials through phishing or exploiting weak passwords.
    • Example: The attacker gets access to the password of a SQL Server service account.
  2. Forge a Silver Ticket:
    • Using tools like Mimikatz or Rubeus, the attacker can forge a Silver Ticket for the service they want to access (e.g., SQL Server, Exchange Server).
    • This Silver Ticket looks like a real ticket, but it’s fake because it was created by the attacker using the compromised password of the service account.
  3. Access the Service:
    • The attacker presents the Silver Ticket to the service (like SQL Server). Since the ticket looks valid to the service, the service grants access.
    • The attacker can now interact with the service just like a legitimate user, even though they never went through the proper authentication channels.
  4. Perform Actions with Service Privileges:
    • The attacker can use the access they’ve gained through the Silver Ticket to perform actions like stealing data, modifying configurations, or gaining further access to other systems within the network.

Real-World Example of a Silver Ticket Attack:

Imagine you work as an attacker trying to break into a company’s network.

  1. Step 1 – Get the Service Account Password:
    • You identify a service running on the network, like a SQL Server, and find out it’s using a service account named SQLService. You crack the password for the SQLService account through Kerberoasting or some other method.
  2. Step 2 – Forge the Silver Ticket:
    • With the cracked password for SQLService, you use a tool like Mimikatz to create a Silver Ticket that works for the SQL Server. This ticket looks like it was issued by the network’s authentication system, but it’s a fake that you created yourself.
  3. Step 3 – Use the Silver Ticket to Access the Service:
    • You now take this Silver Ticket and present it to the SQL Server. The server decrypts it and believes you are a legitimate user because the ticket looks valid.
  4. Step 4 – Perform Actions with Access:
    • Now, you have full access to the SQL Server. You can steal sensitive company data, change configurations, or even use the compromised account to escalate your privileges further into the network.

Why is a Silver Ticket Dangerous?

  1. No Need for Domain Admin Access:
    • Unlike Golden Tickets, which require the attacker to have access to the KRBTGT account (the master key), Silver Tickets only require the attacker to have the password of a specific service account. This makes them easier to create and harder to detect.
  2. Bypassing Authentication:
    • Silver Tickets bypass the normal login process entirely. The attacker doesn’t need to authenticate through the central KDC. This means they can access services without triggering alerts or going through the proper channels.
  3. Limited Scope:
    • While Silver Tickets are limited to a specific service, they can still be incredibly valuable. If the service account has high privileges or can access sensitive data, the attacker can cause serious damage.
  4. Hard to Detect:
    • Because the ticket is created using legitimate credentials (the service account’s password), the system might not realize anything is wrong until the attacker has already gained access.

Diagram of a Silver Ticket Attack:

This diagram shows how a Silver Ticket works:

Steps in the Diagram:

  1. Get Service Account Password: The attacker cracks the password for a service account like SQLService.
  2. Forge a Silver Ticket: The attacker creates a Silver Ticket using the password they cracked.
  3. Present Silver Ticket: The attacker presents the forged ticket to the SQL Server.
  4. Gain Access: The SQL Server grants access to the attacker because the forged ticket looks legitimate.

How to Prevent Silver Ticket Attacks:

  1. Use Strong Passwords:
    • Service accounts should have complex, unique passwords. Weak passwords make it easier for attackers to forge Silver Tickets.
  2. Monitor Service Accounts:
    • Regularly check and audit service accounts for suspicious activity. Keep an eye out for any unusual ticket requests.
  3. Restrict Service Account Privileges:
    • Service accounts should only have the minimum privileges necessary for the service to run. If the service account doesn’t need to access sensitive data, it shouldn’t be able to.
  4. Use Managed Service Accounts:
    • Managed Service Accounts (MSAs) automatically handle password changes and help prevent password reuse and weak passwords in Active Directory.

Summary of Silver Tickets:

  • A Silver Ticket is a forged Kerberos ticket that grants access to a specific service.
  • It allows an attacker to bypass normal authentication and access services without needing domain-wide access.
  • The attacker cracks a service account password, forges a ticket for that service, and gains unauthorized access.

Silver Tickets are dangerous because they can give attackers access to high-privilege services and are harder to detect.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.