Golden Ticket Attacks
Golden Ticket Attacks: What Is It?
A Golden Ticket attack is one of the most powerful types of attacks in a Kerberos-based authentication system, like those used in Active Directory (AD). In a Golden Ticket attack, an attacker compromises the krbtgt
account (the Kerberos Ticket Granting Ticket service account) and forges a Kerberos Ticket Granting Ticket (TGT). This forged TGT allows the attacker to gain unrestricted access to all resources and systems within the domain.
Golden Ticket Attack: Process Overview
Compromise the
krbtgt
Account:The attacker first needs to obtain the NTLM hash of the
krbtgt
account, which is the Kerberos Ticket Granting Ticket (TGT) service account in an Active Directory (AD) domain. This can be done using tools like Mimikatz.
Using lsadump in Mimikatz, the attacker can dump the NTLM hash of the
krbtgt
account.
lsadump::lsa /inject /name=krbtgt

krbtgt user
SID and NTLM hashForge a Golden Ticket:
With the NTLM hash and the SID of the domain, the attacker can create a Golden Ticket using the
krbtgt
account. Thekerberos::golden
command in Mimikatz is used to forge a TGT, which allows the attacker to impersonate any user, including an admin (e.g.,admin
).kerberos::golden /USER:admin /domain:marvel.local /sid:23412341234 /krbtgt:43gro9gro2qer /id:500 /ptt

Access Domain Resources:
Once the Golden Ticket is forged, the attacker has unrestricted access to the domain. Using tools like Impacket's
cdm
(Command Line Client) or PsExec, the attacker can interact with machines within the domain.
For example, using cdm
, the attacker can access a remote machine (e.g., THEPUNSIER
) and run commands, like viewing the contents of the C$ share:
misc::cdm
dir //THEPUNSIER/c$

This allows the attacker to see the contents of the C$
administrative share on the THEPUNSIER
machine.
Using PsExec for Remote Command Execution:
if it The attacker can use PsExec to remotely execute commands on the compromised machine.
If PsExec is available on the target system, the attacker can execute a command like:
psexec.py //THEPUNSIER cmd.exe
This will open a remote shell on the
THEPUNSIER
machine, allowing the attacker to execute commands as an administrator.
Last updated