Golden Ticket
ABOUT
Golden Ticket is a forged Kerberos TGT that an attacker can create after obtaining the KRBTGT account hash from Active Directory, allowing them to impersonate any user, including domain administrators, and gain unrestricted access to services across the domain without the need for Active Directory to validate the user’s existence or group membership. The ticket contains a Privilege Attribute Certificate (PAC) that defines the user’s identity and privileges, which Windows trusts without cross-checking with the domain controller.
ExtraSIDs [LINK] can be included in the PAC to simulate inherited privileges, such as previous group memberships, enabling privilege escalation even for accounts that no longer have those roles.
Prerequisites
KRBTGT hash for the child domain (In example we are doing DCSync because for forging we need to have child domain fully compromised)
SID for the child domain
Name of a Target User in the child domain (does not need to exist! We can make a fake name, like
"hacker")FQDN of the child domain
LINUX
Preparing
1. Obtaining the KRBTGT Account's NT Hash
impacket-secretsdump riotech.local/rio@13.13.13.13 -just-dc-user FIA/krbtgt2. Bruteforce SID's in Domain
First it enumerates Domain SID via LSARPC, then bruteforces last (RID) part
With same way you can grep groups you're interested in, or find common SID's in this site [LINK]
Forging
Add Ticket to Memory
All-In-One
Impacket also has the tool raiseChild, which will automate escalating from child to parent domain. We need to specify the target domain controller and credentials for an administrative user in the child domain; the script will do the rest.
WINDOWS
Preparing
1. Obtaining the KRBTGT Account's NT Hash
2. Get SID of Child Domain
PowerView
Forging
Option
/sidsis for ExtraSIDs attack, explained here [LINK]
Mimikatz
MimikatzRubeus
RubeusCheck Ticket in Memory
RESOURCES
Last updated