Golden Ticket
Check if you're in the right priv
if this won't work then this won't work.
What you need:
Domain name:
SID:
3. KRBTGT NTLM Hash: (requires elevated priv) -> if we can obtain this, we can create our own TGT
non-priv user is the member of the Domain Admin's group ---> DC will trust it if encrypted correctly
The password hash doesn't change automatically, meaning there's a good chance that the old tickets are somewhere in the system!
run mimikatz
and
copy Hash NTLM value.
--
Use golden ticket to get an access to a domain group with the information you got!
on mimikatz command,
id value- pass in the id that you want to create an account for -> 500 - admin
/user -> name it whatever!
After you create an account, pass the ticket
if you launch a command prompt now
you will have priv of admin! You can access domain controllers file shares (and it doesn't expire for a long time!!!)
or
to launch a command prompt with the newly created DC account.
check your group memberships
Last updated