This attack includes forging a cracked TGS Kerberos ticket in order to impersonate another user and escalate privileges from the perspective of a service the TGS was cracked for.
On the last step of the process when the client sends a TGS to the service that is where we can send a forged TGS and get access directly to the service and get a service ticket using this method.
Silver ticket abuses the part of Kerberos authentication where a client sends a Valid TGS to get a service ticket. So if an attacker knows the hash of the service account he can forge a fake service ticket with it. Kerberos will trust it since it can be decrypted by the service as its signed by the NTLM hash of the service.
downside of this attack is at unlike golden ticket which gives us access to everything.
A silver ticket will only allow us access to a particular service or all the services that are running with the same service account.
Another disadvantage of this attack is if the service account is a machine account or a user account. If the password of the account changes this attack will fail. Since we wont have the correct hash of the user/machine account usually it changes within 30 days for machines.
We would generally target these services when it comes to performing a silver ticket attack. CIFS (file system), HOST ( can schedule tasks ), RPCSS Host (runs wmi), WSman/http (ps remoting) all of these use the machine account as there service account.
Dumping Password Hash
If an attacker can gain admin rights to the computer (to gain debug access) or be able to run code as local System, the attacker can dump the AD computer account password hash from the system using Mimikatz (the NTLM password hash is used to encrypt RC4 Kerberos tickets)
run this with admin privileges to load mimikatz into memory and dump user hashes:
