A golden ticket attack is one of your penetration testing arsenal's most dangerous hacking techniques.
It can do massive amounts of damage on Windows Active Directory environments, fly under the radar, and provide you with persistence for an entire decade.
This complete guide will teach you everything you need to know about golden ticket attacks. You’ll learn the mechanics behind them and how to perform one using various real-world hacking tools, including Mimikatz, Rubeus, and Kekeo.
You’ll discover what makes them difficult to defend against along the way. This is a technique you definitely don’t want to miss.
Turn your hacking brain on. It’s time to get your hands dirty with golden ticket attacks.
What Is a Kerberos Golden Ticket Attack?
A golden ticket attack is a powerful attack capable of granting persistence in a Windows Active Directory environment and allowing you to access any resources you want.
It’s a hacking technique you definitely want to learn and add to your penetration testing toolbox.
In this attack, you perform the following actions:
- Compromise the hash of the Kerberos Ticket Granting Ticket account (KRBTGT).
- Use this hash to forge a Kerberos Ticket Granting Ticket (TGT) for any user or group to access the entire Active Directory environment.
- Access all the resources within the domain without contacting the Domain Controller to re-authenticate, hence the name “golden ticket.”
These three steps can be performed using tools like Mimikatz, Rubeus, and Kekeo.py. Stay tuned for practical demonstrations of all three.
Golden ticket attacks are powerful because they achieve two key objectives:
- Detection evasion: It’s very difficult to detect a golden ticket attack in enterprise Active Directory environments because they involve legitimate Kerberos tickets and traffic. With the KRBTGT hash, the attacker can forge TGTs without raising suspicion.
- Persistence access: By default, golden tickets are valid for ten years or until the domain’s KRBTGT password is reset. This is rare in large Active Directory environments because of the problems it raises. As such, golden tickets provide long-term persistence and are difficult for defenders to remediate.
But how do golden ticket attacks actually work? Let’s take a look.
The Mechanics of a Golden Ticket Attack Explained
To understand the mechanics of a golden ticket attack, you need a basic understanding of how Kerberos authentication works in modern Active Directory environments.
Kerberos is a ticket-based authentication system that relies on passing tickets between a Key Distribution Center (KDC), users, and network resources.
The KDC is usually the Active Directory environment’s Domain Controller (DC), and network resources are servers that the user’s workstation needs to access.
In a typical Kerberos authentication interaction, the following happens:
- A user will send a request to the KDC to authenticate to the Active Directory domain for a session. This includes a Ticket Granting Ticket (TGT) that allows them access to network resources within the environment and their session key.
- The KDC verifies the user’s identity and responds with an encrypted TGT and a session key. The TGT is encrypted using the KDC’s secret key (KRBTGT).
- The user then requests a service ticket, known as a Ticket Granting Service ticket (TGS) whenever they want to access a network resource.
- The KDC verifies the user’s access rights and replies with a TGS encrypted with the user’s session key.
- The users use this TGS to authenticate to a service and access the network resource.
- The service verifies the TGT and lets the user interact with the network resource.
If a hacker can compromise the KDC and gain access to its secret key (KRBTGT), they can create any authentication ticket (TGT or TGS) for any user or service in the Active Directory environment. At this point, the hacker has complete control of ticket distribution.
With the KRBTGT account's password hash, the attacker can forge usernames, domain names, group members, and privileges.
To gain access to the KRBTGT password hash (the encryption key used for all TGTs), you typically have one of two options:
- Compromise the Domain Controller and dump credentials: This is where you’ll gain access to the Domain Controller and use a credential dumping tool like Mimikatz to extract the KRBTGT hash from memory or the NTDS.dit file (the main database file that stores directory data).
- Perform a DCSync attack in the context of a domain admin: A DCSync attack leverages the Directory Replication Service (DRS) Remote protocol to request password data from Domain Controllers. This is a stealthier option because it does not require direct access to the Domain Controller or elevated privileges on the target system.
To find high-value targets (domain admins) that’ll give you access to the Domain Controller, use hacking tools like BloodHound, SharpHound, or PowerView.
Now that you know what a golden ticket attack is, let’s see how to perform one!
How to Perform a Golden Ticket Attack
Knowing what a golden ticket attack is is great. However, to master and add it to your hacking arsenal, you must get hands-on experience.
The following demonstrations show you how to perform this attack using Mimikatz, Rubeus, and Kekeo. To follow along, you must meet the following requirements.
Golden attack requirements:
- An Active Directory hacking lab to perform the attack: Follow the guide How to Create a Virtual Hacking Lab: Ultimate Setup to create one.
- The KRBTGT account’s password hash: You can accomplish this using one of the attack techniques previously discussed, such as dumping credentials from the Domain Controller or performing a DCSync attack (we’ll demo this below).
- Disable Microsoft Defender on the target machine to ensure you can execute your hacking tools.
Once you satisfy these requirements, you’re ready to begin!
Performing a DCSync Attack
Before performing a golden ticket attack, you must have the KRBTGT account’s password hash. This is used to encrypt every TGT by the KDC, and it gives you ultimate access to your target Active Directory environment.
To extract this hash, you can exploit Active Directory’s DRS protocol via a DCSync attack using a tool like Mimikatz.
First, you must have access to an Active Directory account in the domain admins
group. This group of privileged users can use the DRS protocol to request password data from Domain Controllers.
The screenshot shows that we are logged in as the station-x admin
user and have full access to the Domain Controller. This is demonstrated by listing the server’s C
drive with the command dir \\dc01\c$
.
Using this access, you can load Mimikatz and run the command lsadump::dcsync /domain:<domain> /user:krbtgt
. Just replace <domain>
with the Active Directory domain name you’re targeting.
This gives us the NTLM hash of the KRBTGT account’s password—the keys to the kingdom. You’re now ready to perform a golden ticket attack.
Performing a Golden Ticket Attack With Mimikatz
One tool you can use to perform a golden ticket attack is Mimikatz. This credential harvesting tool allows you to interact with the Kerberos protocol and create, steal, or forge tickets.
In this demonstration, we’re logged in as the stationx-user
account. As shown, this account doesn’t have access to the Domain Controller.
Worry not. There are just two things you need to create a golden ticket and get access to the Domain Controller.
First was the KRBTGT account’s password, which was the hard part. Next is your target domain's Active Directory Security Identifier (SID).
To get this, run the command wmic useraccount where name=”<your_username>” get sid
and remove the last four digits. This gives you the domain SID.
Now you can perform the following actions to create a golden ticket:
- Start up Mimkatz.
- Run the command
kerberos::golden /user:<any_username> /domain:<domain_name> /sid<domain_sid> /rc4:<krbtgt_ntlm_hash> /ptt
. You should have all this data now. Just fill in the<variables>
. The/ptt
option will automatically pass the golden ticket into your current session so you can start accessing the Domain Controller and any other resource. - Note that the ticket is automatically given the
User ID 500
. This is the administrative user account in a domain, meaning you can access anything. - The golden ticket is successfully created.
- Run the Mimikatz command
misc::cmd
to create a shell in the context of our current session (e.g., a shell where we’re the domain admin).
In this example, I gave the ticket user a fake name: me
. You can use any name you want for the ticket, but for operational security, it’s best to blend in with the name of a legitimate user.
In your new shell, you can test whether you can access the Domain Controller by listing its C
drive.
Success! You just performed a golden ticket attack.
Remember to use the domain name of the resources you want to access, not the IP address. The Kerberos ticket will only be used when DNS is involved.
Performing a Golden Ticket Attack With Rubeus
Mimikatz is not the only tool that can perform golden ticket attacks. Another great option is Rubeus. This is a C# toolset for raw Kerberos interaction and abuse capable of performing many Active Directory attacks.
If you’re following along with the examples, before using Rubues, clear your Kerberos tickets with the command klist purge
command or by signing out and back in again. This ensures tickets are not carried over from the last tool you ran.
To perform a golden ticket attack with Rubeus, perform the following actions:
- Check if you can access the Domain Controller. As a regular user account, you should not be able to.
- Run the command
rubeus.exe golden /user:<any_username> /domain:<domain_name> /sid<domain_sid> /rc4:<krbtgt_ntlm_hash> /ptt
. This looks very similar to the Mimikatz command you ran and does the same thing. It creates a golden ticket as the administrative user account in the domain and passes it into your current session. Only this time, you don’t need to start a new shell. - Confirm that the golden ticket is created.
Scrolling down the output from your command, you’ll see that your golden ticket was imported successfully. If you run the command dir \\dc01\c$
, you should be able to access the Domain Controller.
Great success again! But what if you don’t want to pass the ticket to your current session every time? Let’s explore how to save your golden ticket and use it anytime with Kekeo.
Rubeus comes as C# by default. This means you need to compile it before you can use it. If you don’t want to do this, you can download a pre-compiled version from here.
Performing a Golden Ticket Attack With Kekeo
Kekeo is a tool by the same creator as Mimikatz. It’s written in C and designed to manipulate Microsoft Kerberos.
You can use it to pass golden tickets you’ve saved offline into your current session and gain unlimited access to your target Active Directory environment.
To save a golden ticket, use Rubeus with the /outfile:<filename>
option as shown below.
Once the ticket has been written (1), it won’t be automatically passed to your current session, meaning you won’t be able to access the Domain Controller (2). Instead, the golden ticket will be saved to the directory you ran Rubeus from (3) and ready to be used offline.
This is where Kekeo comes in.
First, start Kekeo. Then, run the command kerberos::ptt <ticket>.kirbi
to pass the ticket into your current session. You should then be able to access the Domain Controller and any other resource in the Active Directory environment.
Saving a golden ticket is a great way to maintain persistence. You can download this file onto your attack machine and redeploy it whenever you need privileged access in the target Active Directory domain.
Now that you know what a golden ticket attack is and how to perform one using various open-source hacking tools, let’s look at what actually makes golden ticket attacks so dangerous?
Dangers of a Golden Ticket Attack
Golden ticket attacks are one of the most powerful Active Directory attacks you can perform.
They give you unlimited access to everything in the Active Directory domain, are difficult to detect, and take a huge remediation effort to recover from.
Here are the top five reasons they are so dangerous:
- Complete control over the network: A golden ticket gives an attacker complete control of the Active Directory domain. They can impersonate any user, access any service, and modify settings like Group Policy Objects (GPOs).
- Persistence: Golden tickets offer an attacker long-term persistence with a default ten-year validity or until the domain's KRBTGT password is reset, which is rare.
- Stealth: Golden tickets are hard to prevent or detect. The attacker can forge the ticket and make it indistinguishable from genuine tickets, blending in with regular Active Directory traffic.
- Hard to undo: Remediating a golden ticket can be a nightmare for the blue team. If a golden ticket attack is detected, they must rebuild the Active Directory domain to ensure they have kicked the bad guys out. This requires a comprehensive incident response plan.
- Cross-forest trust considerations: A golden ticket undermines the trust relationships between domains within a larger Active Directory forest. Since tickets are valid across all domains in a forest, an attacker can pivot between domains and expand their attack.
Golden tickets are no joke. Protect your Domain Controller at all costs.
How to Detect a Golden Ticket Attack
Detecting this type of attack is not entirely straightforward. You either need to set very specific alerts or keep a watchful eye on your event logs and network access. Here are some things worth keeping a watch for:
- Anomalous Ticket Lifetimes: Kerberos tickets (TGTs) typically have a default lifetime. Look for tickets that have unusually long lifetimes which might indicate they have been tampered with.
- Irregular Logon Hours: Review security logs for logon events (Event ID 4624 in Windows) that occur at unusual hours, especially logons to critical servers and domain controllers.
- Unusual Use of Privileged Accounts: Keep track of privileged account usage. Sudden increases in activity, especially from accounts that typically do not engage in such behavior, could signal misuse.
- Multiple Logins Across Accounts: Watch for instances where the same IP addresses are used for multiple account logins, which isn't typical user behavior.
- Event ID 4768 and 4771: Look for failures recorded in these events which could indicate that someone is trying to forge a ticket. Successful logins with anomalies (such as odd times or mismatched user access patterns) should also be scrutinized.
- Account Creations and Modifications: Event IDs 4720 and 4722 might show the creation of new accounts or re-enabling of old accounts, which can be a tactic to maintain persistence.
By actively reviewing and analyzing these indicators in event logs and using advanced security monitoring tools, IT security teams can detect and respond to golden ticket attacks more effectively.
Conclusion
A golden ticket attack is a powerful hacking technique in your arsenal.
It allows you to inflict massive damage on Windows Active Directory environments, blend into legitimate network traffic, and persist for a long time.
This guide showcased the mechanics behind golden ticket attacks, how to perform one using various hacking tools, and highlighted why they’re so dangerous.
If you want to learn more hacking techniques like this, try one of the 1000+ courses and labs offered in our StationX Accelerator Program. This program will take you from zero to hero with everything from courses, labs, mentors, and more.
Here are some of the courses available: