The user that we are impersonating is “invaliduser”, and the ticket is saved to /root/Downloads/invaliduser.tck. We can see from the previous picture that the ticket was successfully created and written out. In our case, the command looks like this: Now, it’s just getting everything in place for the command. Now that we have all of the required information, we can generate a golden ticket! At this time, go ahead and determine the user account you are wanting to impersonate, or, you can actually use an account that is nonexistent. Since you should be on the DC, perform a hashdump and obtain the krbtgt hash. The last big hurdle that you will need is the nt hash from the krbtgt account. So, this info should also be saved off to a text file. In this case, I can see (and I know) the domain name is. One way I like to do this is just running: Copy and paste that information into a text file. The domain SID starts at the S-1… and goes to …70370. To get this information, you can just interact with the meterpreter session you already have active. The user account you want to create the ticket for.In order to create the golden ticket, we’re going to need at least four pieces of information (tickets can be further customized with additional information, but the generation process needs a minimum of four): The command that we’re interested in is golden_ticket_create. Now that the kiwi extension is loaded, when you type help, you should see the additional commands that are available for you. Within your session, you want to load the kiwi extension by typing: Lets start off with Metasploit’s Kiwi Extension.Īt this point, I am going to assume that you have a meterpreter session, as SYSTEM, on the domain controller for the domain you are targeting.
The last name of the golden ticket creator how to#
This post will show how to use both options to generate your ticket. The first way is through the kiwi extension in Metasploit, and the other is through Mimikatz’s stand alone application.
![the last name of the golden ticket creator the last name of the golden ticket creator](https://c8.alamy.com/comp/DJJ832/ticket-set-golden-ticket-stubs-set-isolated-on-white-with-clipping-DJJ832.jpg)
Golden Tickets can be generated two different ways. It’s highly recommended that any tickets created should be securely encrypted during your assessment, and securely deleted when it is no longer needed. However, it’s absolutely worth mentioning that with this great power, pen testers need to take extra precaution to protect any golden tickets that they’ve created.
![the last name of the golden ticket creator the last name of the golden ticket creator](https://i.pinimg.com/736x/b8/19/e8/b819e8c5e49d61ead777f548706f3f6c--golden-ticket-template-willy-wonka-golden-ticket-printable.jpg)
Golden tickets can offer an extremely powerful to escalate privileges for an attacker on a network, or obtain access to resources which are only available to a select group. Those posts are significantly more authoritative on the subject than mine, I just wanted to write this out so I can reference this on assessments. Raphael Mudge’s Writeup on Passing the Golden Ticket with Beacon.Raphael Mudge’s Writeup on Meterpreter’s Kiwi Extension.If you want to see some great write-ups about Golden ticket generation, be sure to look at these: First off, I want to state that the purpose of writing this post is to help myself learn how to use Golden Tickets on assessments.