Forge Golden Ticket

MITRE ATT&CK, Credential Access, Technique T1558.001

A Golden Ticket attack is a type of attack in which an adversary gains control over an Active Directory Key Distribution Service Account (KRBTGT), and uses that account to forge valid Kerberos Tickets. A golden ticket will allow you to persist in an environment almost indefinitely.

Prerequisites for creating a Golden Ticket:

  1. The NT hash of the krbtgt account. This can be obtained from running on the Domain Controller.

  2. Domain SID. This can be obtained by using on the Domain Controller.

  3. Domain name. This can be gathered by querying it on the Domain Controller or will have been gathered throughout the penetration test.

  4. Username to impersonate. This should be a valid user on the domain.

Creating a Golden Ticket on Linux with Impacket

1. Use to customize, sign, and save the ticket: -nthash [NTHASH] -domain-sid [SID] -domain [DOMAIN] [USER]

2. Export the ticket:


3. Authenticate with the created ticket to the domain controller: [DOMAIN]/[USER]@[HOST] -k -no-pass -dc-ip [DOMAINCONTROLLER]


Last updated