Golden Ticket

A Golden Ticket attack is when an attacker has complete and unrestricted access to an entire domain – all computers, files, folders, and most importantly the access control system itself.

Golden Ticket attacks can be carried out against Active Directory domains, where access control is implemented using Kerberos tickets issued to authenticated users by a Key Distribution Service. The attacker gains control over the domain’s Key Distribution Service account (KRBTGT account) by stealing its NTLM hash. This allows the attacker to generate Ticket Granting Tickets (TGTs) for any account in the Active Directory domain. And with valid TGTs, the attacker can request from the Ticket Granting Service (TGS) access to any resource/system on its domain.

Because the attacker is controlling the component of the access control system that is responsible for issuing Ticket Granting Tickets (TGTs), then he has the golden ticket to access any resource on the domain.

Frequently Asked Questions
What is a KRBTGT account?

KRBTGT is the Key Distribution Service account.

What’s the difference between golden ticket and pass the hash?

Pass the hash is a form of credential dumping used to gain access to the Key Distribution Service account. Access to the service account is considered the golden ticket that enables the attacker to obtain other tickets to access specific resources.

What is the connection between Mimikatz and golden ticket?

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords. It implements the specific modules necessary to extract the KRBTGT account hash and create/use Kerberos tickets.