kerberos::golden
can be used to forge golden and silver tickets. It can also be used for forging inter-realm trust keys. It has the following command line arguments:/domain
: the active directory domain (the user's domain to impersonate)/sid
: the SID of the active directory domain the user's hash is hold/sids
: the extra SID of the domain to target during the SIDHistory spoofing/user
: username to impersonate, keep in mind that Administrator is not the only name for this well-known account/ticket
: save the ticket to a .kirbi
file/groups
: id of groups the user belongs (first is primary group, comma separator) - default is: 513,512,520,518,519
for the well-known Administrators groups/id
: The user RID. The default value is 500 (local administrator)/target
- the server/computer name where the service is hosted (ex: share.server.local
, sql.server.local:1433
)/service
- The service name for the silver ticket (ex: cifs
, rpcss
, http
, mssql
)/ptt
: inject the generated golden ticket into memory/startoffset
: The start offset when the ticket is available. Default is 0/endin
: The ticket's minutes lifetime. The default value is 10 years. The default active directory kerberos policy is 10 hours/renewmax
: The maximum ticket's minutes lifetime renewal. The default value is 10 years. The default active directory kerberos policy is 7 days/krbtgt
: specify the krbtgt RC4 key/des
: the DES key to be used/rc4
: the RC4 key to be used/aes128
: The AES128 key to be used. More opsec safe/aes256
: the AES256 key to be used. More opsec safe/rodc
: for generating a golden ticket with the krbtgt hash of a Read Only Domain Controllerlsadump::trust /patch
has to be used. Depending on the forest trust relationship, using the trust key instead of the krbtgt account can be stealthier since most defense mechanisms are monitoring the krbtgt account.