A penetration tester has obtained the NTLM hash of a service account during an internal test. The tester wants to gain access to a specific SQL server that uses Kerberos authentication. The tester does not know the plaintext password. Which attack is MOST appropriate to forge a service ticket for the SQL server?
The Silver Ticket attack creates a forged TGS ticket for a specific service using the service account's hash, granting access to that service.
Why this answer
A Silver Ticket attack is the most appropriate because it forges a service ticket (TGS) for a specific service, such as the SQL server, using the NTLM hash of the service account. Since the tester has the NTLM hash but not the plaintext password, they can craft a valid Kerberos service ticket without needing to authenticate to the domain controller, directly granting access to the SQL server.
Exam trap
The trap here is that candidates often confuse Silver Ticket attacks (forging service tickets) with Golden Ticket attacks (forging TGTs), but the key distinction is that a Silver Ticket targets a specific service using the service account's hash, while a Golden Ticket grants domain-wide access using the KRBTGT hash.
How to eliminate wrong answers
Option B (Golden Ticket attack) is wrong because it forges a Kerberos Ticket Granting Ticket (TGT) using the KRBTGT account hash, which grants domain-wide access, not a targeted service ticket for a specific SQL server. Option C (Pass-the-hash attack) is wrong because it reuses an NTLM hash to authenticate over NTLM, but the SQL server uses Kerberos authentication, which requires a Kerberos ticket, not an NTLM hash directly. Option D (SMB relay attack) is wrong because it relays captured NTLM authentication to another service, but the goal is to forge a Kerberos service ticket, not relay NTLM challenges.