Golden Ticket
Is an attack that allows attacker who has KRBTGT account password hash to forge Kerberos ticket-granting tickets (TGT) that will enable him to generate authentication material for any account in Active Directory. This ticket is known as golden ticket.
Exploitation
Let’s try to get powershell session of domain controller .
As you can see, we were not able to access it because we didn’t have required privileges. Now we will forge the golden ticket to see if we can access it.
To forge golden ticket, we need to get KRBTGT password hash using any credential access technigues. We will execute dcsync attack to retrieve password hash of KRBTGT.
With the password hash retrieved, we will load mimikatz and forge the golden ticket.
We will then pass the ticket.
Now Let’s try to get powershell session of domain controller again.
Great.