Golden ticket
The Goldent ticket attacks is a persistence attack allowing an attacker to impersonate any user on the domain via the creation of a TGT. In fact, once the rogue TGT is created, the attacker can access any services on the domain as the user the TGT was create for!
Elements needed:
KRBTGT hash
SID of the domain
Username to impersonate
The domain FQDN
STEPS - Remotely with Impacket
1.KRBTGT hash
This information is the hardest part to obtain as we often need to be domain admin to be able to dump the KRBTGT hashes. For example, we can use mimikatz or the impacket-secretsdump script.
2. Get the domain SID
With the PowerView module loaded on the target system run:
3. Use impacket-ticketer to create the ticket remotely
4. Export the Golden ticket to my environment variable.
5. Login as administrator using psexec or wmiexec
Adding to the /etc/hosts file the hostname of the target system and the domain can avoid a lot of bugs.
Last updated