rubeus_silver
Forge a Kerberos silver ticket to access a specific service using a service account hash, enabling persistence without contacting the domain controller.
Instructions
Forge a Silver Ticket (forged TGS with service account hash).
Creates a service ticket for a specific service. Requires:
Service account hash
Service SPN
Domain information
Silver tickets grant access to a specific service without touching the DC.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| id | No | User ID (RID) | |
| des | No | Service account DES key | |
| ptt | No | Pass-the-ticket to current session | |
| rc4 | No | Service account RC4/NTLM hash | |
| sid | No | Domain SID | |
| ldap | No | Retrieve info via LDAP | |
| sids | No | Extra SIDs for SID history | |
| user | Yes | Username for the forged ticket | |
| cname | No | Client name | |
| aes128 | No | Service account AES128 key | |
| aes256 | No | Service account AES256 key | |
| crealm | No | Client realm | |
| domain | Yes | Domain FQDN | |
| groups | No | Group SIDs to include | |
| krbkey | No | Kerberos session key | |
| nowrap | No | Don't wrap base64 output | |
| outfile | No | Output file for ticket | |
| service | Yes | Target service SPN | |
| s4uproxytarget | No | S4U proxy target | |
| s4utransitedservices | No | S4U transited services |