Introduction

Hey everyone, I’m going to show you how to establish persistence in an Active Directory environment after you’ve already gained administrator privileges. Specifically, I’ll be walking you through how to create a “golden ticket.” 🎫

What’s Persistence and Why a Golden Ticket?

First off, what do I mean by persistence? In the world of penetration testing, it’s all about maintaining access to a system you’ve compromised. The goal is to create a backdoor for myself, a user account on the domain controller that I can use to get back in whenever I want.

Now, I want to be clear: this is an advanced technique that’s usually outside the scope of a standard penetration test. I would only do this if a client specifically asked for it under very special circumstances.

So, what’s a golden ticket? It’s basically a forged Kerberos ticket that I can create myself. Kerberos is the authentication system that Windows uses, and with a golden ticket, I can authenticate to any service in the entire domain as any user I want, including the domain administrator. It’s the ultimate key to the kingdom, and I’ll be using the powerful post-exploitation tool, Mimikatz, to create it.

Crafting the Golden Ticket: A Step-by-Step Guide

Here’s how I create my golden ticket:

  1. Get the krbtgt Hash: First, I need to get the NTLM hash of the krbtgt account. This account is super important because it’s used to encrypt all the Kerberos tickets in the domain. I’ll launch Mimikatz on the compromised server (where I already have admin rights) and use it to extract this hash.
  2. Head Back to the Client Machine: Now, here’s a key point: I don’t create the golden ticket on the domain controller itself. I go back to the client workstation where I started my attack. I’ll open up a new command prompt on this machine to get started.
  3. Prep Mimikatz on the Client: I’ll launch Mimikatz on the client machine and run the kerberos::purge command to clear out any existing Kerberos tickets.
  4. Create the Golden Ticket: Now for the main event! I’ll use the kerberos::golden command in Mimikatz. This command has a few important parts:
    • Username: I need to choose a username for my persistent account. I always try to pick a name that looks similar to an existing domain admin to avoid suspicion.
    • Domain: I’ll enter the domain name of the Active Directory.
    • Domain SID: I’ll need the Security Identifier (SID) of the domain controller. I can easily find this by running whoami /user in a command prompt.
    • krbtgt Hash: I’ll paste in the NTLM hash of the krbtgt account that I grabbed earlier.
    • ptt: Finally, I’ll add ptt to the end of the command. This tells Mimikatz to “pass the ticket” into my current session.
  5. Verify and Use the Ticket: Mimikatz will let me know that the golden ticket has been successfully created. From the same Mimikatz session, I’ll launch a command prompt and use the PsExec tool to connect to the domain controller. Once I’m connected, I’ll have a command prompt on the domain controller, and I can verify that I’m logged in as the user I created by typing whoami.

And that’s it! With this golden ticket, I can now log in to the domain controller whenever I want, maintaining my access until an incident response team or a sharp-eyed system admin discovers my sneaky user account.

Video Walk-through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles