Golden Ticket
Intro
Golden Ticket Attack is a example of the Pass the Ticket Attack. the most infamous Kerberos attack is known as the Golden Ticket which obviously is a Kerberos ticket but with some differences.
in order to create a valid TGT (with a valid PAC) we would require the target LT key and the KDC LT key. in case of a TGT these keys are identical (krbtgt). we would thus have to obtain the NTLM hash of the krbtgt account (RC4) or the AES key.
when we would use a golden ticket the first interaction is a TGS-REQ for a service ticket using the forged TGT (golden ticket). there is no prior credential submission or AS_REQ/AS-REP.
the difference between a golden ticket and other tickets (including the silver ticket ) is:
its created without any interaction with the DC. this is possible because kerberos is a stateless protocol so it does not keep track of all previously created TGTs.
it would require us to obtain the KDC long-term key (which is not easy to get)
its typically a TGT for an administrative account (RID 500 in a domain or domain administrator)
its typically valid for a long time (10 years by default)
Creating a Golden Ticket
with mimikatz we can create a Golden Ticket if we have the following information:
KDC LT key (e.g: krbtgt NTLM hash)
Domain admin account name
SID of domain admin account
all of these values can be obtained by any user in the domain except for KDC LT key.
assuming that we got access to administrator NTLM hash, we can move on with the attack.
now we can get a shell with admin privileges:
or using psexe:
Last updated
