Written by Jaryeong Kim
Edited by Anne Cutler
Reviewed by Darren Guccione
A ticket in cybersecurity is a set of credentials used to authenticate users. A silver ticket is a forged ticket an unauthorized user creates. With this forged silver ticket, threat actors can launch a cyber attack that involves exploiting the weaknesses of a Kerberos authentication system. In this system, a Ticket Granting Service (TGS) serves as the credential token, granting authorized users access to particular services. If an attacker is successful, the forged silver ticket enables them to impersonate the service account and gain access to network resources.
A golden ticket is also used in a cyber attack that forges authentication tickets for impersonators to gain access. But, rather than impersonating a specific service like a silver ticket, a golden ticket impersonates an entire domain controller. This means that if an unauthorized user has a golden ticket, they have broader access to any services within the domain.
Both silver and gold tickets are types of forged tickets that exploit the Kerberos authentication protocol. The main difference between these two lies in the level of access unauthorized users gain.
Here are the five steps an attacker takes to execute a silver ticket attack.
1. The attacker compromises an account: For a silver ticket attack to occur, an attacker must gain access to an authorized user’s account. The attacker can compromise an account by cracking weak passwords through brute force attacks, phishing or malware.
2. The attacker extracts service information: Once the attacker enters the network, they look for valuable service information such as the Security Identifier (SID) and Domain Name System (DNS).
3. The attacker obtains the NTLM hash: The NTLM hash is derived from the impersonated user’s password and is the key to encrypt and decrypt forged service tickets. The attacker can obtain the NTLM hash through offline cracking, also known as kerberoasting.
4. The attacker forges the ticket: Using the NTLM hash, the attacker will forge a valid ticket-granting service to authenticate themselves to a specific service.
5. The attacker gains and exploits access: When the attacker successfully forges the ticket, they gain full access to the service. In most cases, attackers won’t just stop there and will move laterally within the network.
Here are four tips to help prevent silver ticket attacks.
The principle of least privilege is a fundamental principle in cybersecurity that advocates granting users and systems access to resources only necessary for their job tasks. When an organization follows the PoLP and limits access rights, it reduces the window for cybercriminals to enhance their privileges if they compromise the network.
A silver ticket attack cannot happen without an attacker compromising an authorized account associated with the organization. Every employee account should be secured with a strong and unique password so it can’t be easily guessed or cracked. The best way for organizations to oversee employee password practices is by investing in a business password manager. Password managers provide IT admins with visibility and control over employee password habits so their organization is better protected against password-related attacks.
Multi-factor authentication adds an extra layer of security to accounts by requiring that users verify their identity using other authentication methods in addition to their username and password. Organizations must enforce the use of MFA because this security measure makes compromising accounts more difficult. One study from Microsoft found that enabling MFA can block over 99.9% of account compromise attacks.
Regularly monitoring and overseeing the authentication traffic for your organization’s network is a proactive measure. This practice will allow your organization to detect and mitigate unusual activity early on, before further damage occurs.
A Privileged Access Management (PAM) solution can help your organization stay protected against silver ticket attacks by managing and controlling privileged accounts. PAM reduces the likelihood of threat actors accessing privileged accounts as it provides administrators with robust tools to protect them.
KeeperPAM is a solution that implements least privilege access and robust security through its zero-knowledge and zero-trust architecture. KeeperPAM is a combination of three essential Identity and Access Management (IAM) solutions, Enterprise Password Manager (EPM), Keeper Secrets Manager (KSM) and Keeper Connection Manager (KCM). Together, they reduce an organization’s attack surface by providing visibility and security over privileged accounts.
Ready to get started with KeeperPAM? Request a demo today.
You May Also Like
Cybercriminals gather personal information about their targets by using social engineering techniques, looking at social media accounts and collecting data that gets leaked from public data breaches. The more personal information a cybercriminal can collect about...
Choose Language