During an internal penetration test you dump the NTLM hash of svc-file$, the service account that registers the CIFS SPN for FILE01.corp.local. Your goal is to open the hidden administrative share on FILE01 while keeping Kerberos traffic off the domain controller so that Event IDs 4768 and 4769 are not generated. Working only with Rubeus on your foothold system, which approach meets these requirements most effectively?
Export a computer certificate from FILE01 and use PKINIT to authenticate to the share
Forge a silver ticket for the CIFS service on FILE01 using the service account hash and inject it locally
Request an S4U constrained-delegation ticket for Administrator and pass it to FILE01
Create a golden ticket with the KRBTGT hash to obtain domain-wide access, then request a CIFS ticket
Rubeus can forge a silver ticket when you possess the service account's NTLM or AES key. Because the ticket is created offline and already encrypted with the service account's key, it can be presented directly to the target service (for example, CIFS on FILE01) without contacting the KDC, so no TGS-request events appear in domain-controller logs. Golden tickets, S4U delegation, or PKINIT certificate methods still involve interaction with the KDC, produce detectable log entries, or require additional secrets such as the KRBTGT hash or a valid certificate.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a silver ticket in Kerberos?
Open an interactive chat with Bash
What is the role of NTLM hashes in forging silver tickets?
Open an interactive chat with Bash
Why is Kerberos traffic kept off the domain controller?