Kerberos Silver Ticket Attack

Kerberos is an authentication protocol that creates tickets encrypted with account keys to verify identity and permissions. A ticket contains user, computer, or service account credentials that are encrypted with a cipher algorithm. Every domain controller (DC) in an Active Directory (AD) domain has a Kerberos Key Distribution Center (KDC) service for issuing ticket-granting tickets (TGTs) and a ticket-granting service (TGS) for creating service tickets. These tickets act as a cryptographic proof of identity. A user must have valid TGT and service tickets to access services such as file shares, printers, and databases. A valid service ticket is encrypted with a service account key. If an attacker manages to steal a service account key (1), the attacker can bypass the service ticket to create a forged service ticket, which is known as a silver ticket. A silver ticket is created by running a command in a Windows exploit tool, such as Mimikatz or Impacket (2). The silver ticket is encrypted with the stolen account key and might include fake domain administrator credentials. When the attacker wants to access a service, they send a Kerberos AP_REQ message with the silver ticket to the service (3). The service trusts the silver ticket and gives access to the attacker posing as a domain administrator.