🎟️Golden Ticket Attacks

It is called a "golden ticket" because it provides the attacker with unrestricted access to the domain, similar to a VIP pass or a "golden ticket" to a concert or event.

A golden ticket is created by using the Kerberos Authentication Service (AS) REP and Ticket Granting Service (TGS) REP tickets to create a forged Kerberos Ticket-Granting Ticket (TGT). The TGT is then used to request additional service tickets, allowing the attacker to access any resource in the domain without authentication.

To attack golden tickets we'll use mimikatz:

lsadump::lsa /inject /name:krbtgt

The command lsadump::lsa /inject /name:krbtgt is used to extract the Kerberos Ticket-Granting Ticket (TGT) for the Krbtgt account from the LSASS (Local Security Authority Subsystem Service) process on a Windows system.

The /inject option specifies that the command should inject a DLL (Dynamic Link Library) into the LSASS process to extract the T. This is a more advanced technique than simply reading the TGT from memory

The /name:krbtgt option specifies that the command should extract TGT for the Krbtgt account. The Krbtgt account is a highly privileged account used by the Kerberos authentication protocol to issue TGTs for users and services in the domain. By extracting the TGT for the Krbtgt account, the attacker can create a golden ticket and use it to gain unauthorized access to domain.

To make this attack succesfull, we need the krbtgt hash and the domain SID

once those are known

kerberos::golden /User:Administrator /domain:marvel.local /sid:[SID NUMBER] /id:500

The SID for the KRBTGT account is S-1-5--502 and lives in the Users OU in the domain by default. Microsoft does not recommend moving this account to another OU.