![golden ticket creator golden ticket creator](https://st4.depositphotos.com/1986885/25391/v/1600/depositphotos_253918548-stock-illustration-golden-ticket-template-concert-ticket.jpg)
Metasploit Kiwi DCSync – Retrieve the NTLM Hash MimikatzĪ forged Golden ticket can be created with Mimikatz by using the obtained information. The Kiwi extension also supports the DCSync method and can retrieve the SID, LM and NTLM hashes. If there is a Meterpreter session with the domain controller the quickest method is the hashdump command: Meterpreter – krbtgt NTLM Hash This technique is less noisy as it doesn’t require direct access to the domain controller or retrieving the NTDS.DIT file over the network.Īlternatively Mimikatz can retrieve the hash of the krbtgt account from the Local Security Authority (LSA) by executing Mimikatz on the domain controller.
Golden ticket creator password#
The DCSync is a mimikatz feature which will try to impersonate a domain controller and request account password information from the targeted domain controller. The NTLM hash of the krbtgt account can be obtained via the following methods: The Domain name and the domain SID can be obtained very easily by executing the whoami /user command or with the use of PsGetsid utility from PsTools.
![golden ticket creator golden ticket creator](https://images.squarespace-cdn.com/content/v1/5f933ed31c2976034c9d948e/1629914742862-DHZG0N9E4TWICHIKU8GI/VOID-GoldenTicket.jpg)
The creation of a golden ticket requires the following information: Metasploit Framework has a post exploitation module which can automate the activity. Mimikatz support the creation of a golden ticket and its meterpreter extension kiwi. This is due to the fact that users that have a TGT (ticket granting ticket) in their current session will consider trusted for Kerberos and therefore can access any resource in the network. This technique leverages the lack of validation on the Kerberos authentication protocol in order to impersonate a particular user valid or invalid.