# Golden tickets

 Golden Ticket attacks can be carried out against Active Directory domains, where access control is implemented using Kerberos tickets issued to authenticated users by a Key Distribution Service(KDC). The attacker gains control over the domain’s KDC account (KRBTGT account) by stealing its NTLM hash. This allows the attacker to generate Ticket Granting Tickets (TGTs) for any account in the Active Directory domain. With valid TGTs, the attacker can request access to any resource/system on its domain from the Ticket Granting Service (TGS).

Now here goes nothing :

First we need to retrieve some information about the KRBTGT account, we need :

* Domain Name 
* Domain SID  
* Domain KRBTGT Account NTLM password hash
* UserID for impersonation

The NTLM hash of the **krbtgt** account can be obtained via the following methods for example : 

1. DCSync (Mimikatz)
2. LSA (Mimikatz)
3. Hashdump (Meterpreter)
4. NTDS.DIT
5. DCSync (Kiwi)

The DCSync is a mimikatz feature which will try to impersonate a domain controller and request account password information from the targeted domain controller. This technique is less noisy as it doesn’t require direct access to the domain controller or retrieving the NTDS.DIT file over the network.

```
lsadump::dcsync /user:krbtgt
```

Alternatively Mimikatz can retrieve the hash of the krbtgt account from the Local Security Authority (LSA) by executing Mimikatz on the domain controller.

```
privilege::debug
lsadump::lsa /inject /name:krbtgt
```

Now once you get the previously needed information and still in mimikatz :

```
kerberos::golden /User:random_user /domain:domain.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e /id:500 /ptt
```

You should see a cmd prompt opening, and tada, you can do a lot of stuff starting from there.

**References :**

{% embed url="<https://en.hackndo.com/kerberos-silver-golden-tickets/>" %}

**Good Reads :**

{% embed url="<https://adsecurity.org/?p=1640>" %}

{% embed url="<https://adsecurity.org/?p=483>" %}

{% embed url="<https://adsecurity.org/?p=556>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://xedex.gitbook.io/internalpentest/internal-pentest/active-directory/post-compromise-attacks/golden-tickets.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.