Rapid7 Vulnerability & Exploit Database

Kerberos Silver/Golden/Diamond/Sapphire Ticket Forging

Back to Search

Kerberos Silver/Golden/Diamond/Sapphire Ticket Forging



This module forges a Kerberos ticket. Four different techniques can be used: - Silver ticket: Using a service account hash, craft a ticket impersonating any user and privileges to that account. - Golden ticket: Using the krbtgt hash, craft a ticket impersonating any user and privileges. - Diamond ticket: Authenticate to the domain controller, and using the krbtgt hash, copy the PAC from the authenticated user to a forged ticket. - Sapphire ticket: Use the S4U2Self+U2U trick to retrieve the PAC of another user, then use the krbtgt hash to craft a forged ticket.


  • Benjamin Delpy
  • Dean Welch
  • alanfoster
  • smashery


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use auxiliary/admin/kerberos/forge_ticket
msf auxiliary(forge_ticket) > show actions
msf auxiliary(forge_ticket) > set ACTION < action-name >
msf auxiliary(forge_ticket) > show options
    ...show and set options...
msf auxiliary(forge_ticket) > run 

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security