Golden Tickets

As explained the most powerful account on the DC the KRBTGT Account this account is used to create TGT to any service in the Domain Controller, all that is needed (Easy to say) is to compromise the Domain Controller or use any other attack (DCSync) to grab the password hash of this account we can then use mimikatz to create and inject the Ticket to any service that is desired and this attack, is incredible for avoiding logs since these are legitimate TGTs.

Let's see this attack in action, after all the enumeration and all the hacking with all your setup you managed to get a shell on the DC (Domain Controller) and you grab a user, and this user has Administrator Access.

Here we continue with mimikatz and request the hashes for the KRBTGT user. We can see that there are old hashes and the most current one available for the user.


lsadump::lsa /inject /name:krbtgt

On the Kali terminal you will need to make this a one-liner so that the mimkatz binary exits properly.

mimikatz.exe "privilege::debug" "lsadump::lsa /inject /name:krbtgt" exit

Continuing with the attack now we will request a Golden ticket and create a fake user this user will have total access to the DC and other machines, so from here the fake user created will have to permissions to list the fodlers of the domain controller. It makes no sense to do this attack since the DC and a high level user has been compromised but this is a great opportunity to avoid detection as these forged tickets are legitimate tickets created by the KRBTGT account.


mimikatz.exe "kerberos::golden /domain:dc1.dominioncyber.local /sid:S-1-5-21-4198639423-1025486511-2226459690 /rc4:a8bbd83cc1ded03f7db3b07d78e95036 /user:Youllnevercatchme /id:500 /ptt"

Let's confirm our assumptions.

We can list the DC directories and the user was authenticated to it as well, the Ticket is saved in the session and with mimikatz I used the msic::cmdcommand to prompt open a new cmd window with the session in memory this is also a great way to Privesc or to Maintain Persistence on a machine.

Recommended to have an RDP Session as for the new cm window will not be shown from the Atacker machine

Last updated