Mimikatz, Kiwi, and Golden Ticket Generation

First off, I want to state that the purpose of writing this post is to help myself learn how to use Golden Tickets on assessments.  If you want to see some great write-ups about Golden ticket generation, be sure to look at these:

Those posts are significantly more authoritative on the subject than mine, I just wanted to write this out so I can reference this on assessments.

Golden tickets can offer an extremely powerful to escalate privileges for an attacker on a network, or obtain access to resources which are only available to a select group.  However, it’s absolutely worth mentioning that with this great power, pen testers need to take extra precaution to protect any golden tickets that they’ve created.  It’s highly recommended that any tickets created should be securely encrypted during your assessment, and securely deleted when it is no longer needed.

Golden Tickets can be generated two different ways.  The first way is through the kiwi extension in Metasploit, and the other is through Mimikatz’s stand alone application.  This post will show how to use both options to generate your ticket.  Lets start off with Metasploit’s Kiwi Extension.

At this point, I am going to assume that you have a meterpreter session, as SYSTEM, on the domain controller for the domain you are targeting.  Within your session, you want to load the kiwi extension by typing:

load kiwi

Load Kiwi

Now that the kiwi extension is loaded, when you type help, you should see the additional commands that are available for you.  The command that we’re interested in is golden_ticket_create.  In order to create the golden ticket, we’re going to need at least four pieces of information (tickets can be further customized with additional information, but the generation process needs a minimum of four):

  • The Domain Name
  • The Domain SID
  • The krbtgt account’s nt hash
  • The user account you want to create the ticket for

MSF Golden Ticket Create

To get this information, you can just interact with the meterpreter session you already have active.  Drop into a shell, and run:

whoami /user

Domain Sid

The domain SID starts at the S-1… and goes to …70370.  Copy and paste that information into a text file.  Next up, grab the domain name.  One way I like to do this is just running:

ipconfig /all

Find Domain Name

In this case, I can see (and I know) the domain name is PwnNOwn.com.  So, this info should also be saved off to a text file.  The last big hurdle that you will need is the nt hash from the krbtgt account.  Since you should be on the DC, perform a hashdump and obtain the krbtgt hash.

Now that we have all of the required information, we can generate a golden ticket!  At this time, go ahead and determine the user account you are wanting to impersonate, or, you can actually use an account that is nonexistent.  Now, it’s just getting everything in place for the command.  In our case, the command looks like this:

golden_ticket_create -d PwnNOwn.com -k <nthash partially redacted> -s S-1-5-21-522332750-710551914-1837870370 -u invaliduser -t /root/Downloads/invaliduser.tck

MSF Ticket Created

We can see from the previous picture that the ticket was successfully created and written out.  The user that we are impersonating is “invaliduser”, and the ticket is saved to /root/Downloads/invaliduser.tck.

Now that the ticket has been created, it’s time to apply it to our current session.  To do this you want to type the following command:

kerberos_ticket_use /root/Downloads/invaliduser.tck

Ticket applied

In the above screenshot, I cleared all existing tickets, then applied the created ticket, and then we can see the golden ticket in use.  Note: you don’t have to purge existing tickets, but I did for demonstration purposes.

Now that the ticket has been applied, a low level user account can now act as a Domain Administrator:

MSF Ticket Applied

The user account could not previously access the DC’s C$ share, but with the ticket applied, it can!  We’re now operating with the same level of permissions as a DA!


So, our other option for generating and using golden tickets is to use the mimikatz binary.  You can download that from here.  Once downloaded, navigate to the mimikatz binary and start it.  We can re-use the information that we already have to generate our golden ticket.  To generate the ticket, you’re going to run a command similar to the following:

kerberos::golden /user:invaliduser2 /domain:PwnNOwn.com /sid:S-1-5-21-522332750-710551914-1837870370 /krbtgt:<ticket partially redacted> /ticket:invalidadmin.tck /groups:501,502,513,512,520,518,519

(Thanks to Benjamin Delpy (@gentilkiwi) for letting me know that I failed at redacting my own krbtgt hash, haha.  This is why you should always post things from a test/lab domain :).  Pic below is now updated)



In this case, we’re creating a ticket for a non existent user account, the User ID is at its default value (500), and we’ve added groups that the user should be part of.  The ticket is saved to the invalidadmin.tck file within the same directory that the mimikatz binary is running from.

Now that the ticket has been created, we just want to apply it with Mimikatz.  This can be done by running the following command:

kerberos::ptt invalidadmin.tck

Win Ticket Submission

And to verify that we have administrative access to the domain controller again…

Access DC Share

We can actually also see from the DC that the Logon was successful, even though it was with an account that doesn’t exist within the domain!

Windows Log

And that’s about it!  Writing this out helped me gain a better understanding about generating and using golden tickets, hope that it can help someone else too!

psexec_command – When You Can’t Trigger Your Payload

Ever been able to drop a payload on a machine, but not execute it? I’ve had a few odd times on assessments and/or CTFs where I’ve been able to drop a payload onto a machine that I am targeting, but haven’t been able to trigger it. An example I can talk to is when I’ve created a custom executable, such as one generated from Veil, and use metasploit’s psexec to drop the payload on the machine (which I’ve already obtained hashes or clear-text credentials), but upon uploading the executable to the target machine, for some reason, I don’t get the callback. When this happens, as long as I can verify from the metasploit output (assuming that I used metasploit’s psexec) that uploading the binary was successful, I can use psexec_command to attempt to re-trigger the payload.

So, how do we do this? Here’s how I’ve made this work before:

First, we need to attempt to psexec into a machine with our custom executable. One thing to note, I prefer to use the C$ share when dropping a payload on a machine. There’s no real reason other than the command you provide to metasploit (later) is shorter. Once you’ve provided Metasploit’s psexec module with all the options it needs and execute it, you should see something similar to the following:

exploit - 1

But what we sometimes don’t get is the all-important awesome sign of “Sending Stage…”. So.. how can we fix that?

Based off of the Metasploit log above, we can see that our custom executable was uploaded to the target machine as wdKedAbD.exe and it was dropped into the C$ share. We have all the information necessary to manually call our executable and attempt to trigger it via metasploit’s psexec_command. To do that, our configuration should look something like the following:


Note: You will need the double backslashes when setting your “Command” value.

The thing to note here is that we are calling the same executable that was uploaded in our original psexec attempt. This is what is allowing us to attempt to re-trigger the payload that was already uploaded to the machine. With all of our payload variables set, we can now run this single command against the same machine. The output upon executing our psexec_command module should look like the following:


We can see from this output that our payload was triggered, and the second stage was sent, and we opened a new meterpreter session. Success!

If anyone has any questions, feel free to ask here or on twitter @ChrisTruncer!


How Did I Figure Out I Wanted to Work in IT Security?

Randomly, I’ve been asked by people how I got started in the security world, specifically within IT.  To be honest, it’s a little amusing to me seeing as I know there is so much more out there I still have to learn.  But looking back, I can see that I have come quite a ways, and I have loved every step along the way.  I figured it might be worthwhile for me to post my thoughts, and the path that I took about how I really started working in this great industry, and give my thoughts on what a successful security person might be (by no means can I provide the all-encompassing list, but it’s just my thoughts).  This will be broken up into numerous blog posts on here.

My first exposure into security probably came at college, I know significantly later than probably many others out there.  I took my first security class at a school which barely offered any, and I could not wait for it to begin.  Throughout the course, I realized it wasn’t going to be all that intensive, I found the material easy and very logical to understand, which resulted in great grades for the class.  However, the real learning came to me when I began talking to the teacher, and meeting up with him after class.  Through this one on one time, I was exposed to the first hacking tool I’ve ever seen, Metasploit.  I still remember him saying, “Hey, see that server over there?  Watch this.”.  He then fired up Metasploit on his computer, typed in all of his commands, and boom, a shell popped up.  When I saw him make a folder via the shell, and then it pop up on the desktop of the server, it was like this black magic to me.  At the time, I felt like people always heard about hacking attacks, network infiltrations, but it’s just some news story far away, and it doesn’t really happen.  When I saw it happen right in front of my eyes, it’s like my whole world opened up.

I went home that very same day, installed Auditor (pre-backtrack days) and fired up metasploit.  This was my very first interaction with not only metasploit, but linux also.  I had never used linux, knew of it, but just never tried it before.  I can’t tell you the number of times I lost my documents (until I finally started saving them on a usb drive) when trying to learn how to setup dual partitions on a single hard drive to run linux and windows.  I finally settled on Kubuntu at the time, and started trying to learn the OS.

At the same time, I was lucky enough to have a roommate who told me, “Yeah, you can try hacking into my computer”.  So I did.  It took quite some time, as I never really knew what I was doing.  But, like the security class, I still remember the first time I was able to break into his system.  It was some basic remote code execution that he hadn’t patched on his XP computer, and I setup to do a VNC injection as the payload.  I just couldn’t believe my eyes when I saw it successfully worked, and then when his actual desktop showed up on my computer, and that I could actually move his mouse on his computer with my computer.

It was right then and there, that I knew exactly what I wanted to do as my job.

CarolinaCon Capture the Flag Event

Over the end of April beginning of May, I was able to attend my first info sec conference, CarolinaCon.  In short, I will go out of my way to make sure that I attend the conference next year.  The talks were great, people there were fun to meet, and overall it was just an experience that I really enjoyed.  It was cool being around a lot of people who were all just very interested in security.

I participated in the Capture the Flag event that CarolinaCon put on.  I highly recommend, if possible, everyone to participate in these events because even if you don’t win, you walk away having learned a lot.

The CTF event started at 7:00pm, and I was able to capture one of the targets at 7:20pm.  It was a pretty simple attack because it was running a vulnerable service that Nessus had easily detected.  I exploited it using Metasploit and found the first flag.

The second flag I got took all day to get.  It was a web form vulnerable to SQL injection.  I spent all day trying to format the query to dump the information that I needed, however I just couldn’t get it.  It was probably a good 8 hours on and off I was working to figure out the correct syntax.  At the end of the 8 hours, I discovered a great tool called SQLMap.  With this, I was able to dump the whole database in about 20 seconds.  I was annoyed because I tried using SQLMap earlier, however it was doing URL based injections, vs. form based.  Unfortunately, I missed the –forms flag that SQLMap has, and had turned back to manually figuring it out.  Anyways, once I had the –forms flag set, it worked like a charm.

The third flag was a fun one to get.  What I didn’t mention earlier, was that when I was on the first box, I dumped the hashes.  Well, the third box was on a separate only accessible through the first box.  So I had to re-exploit the first system so I could pivot from it into the third box.  Once I setup the routing, I was able to perform a pass the hash attack using the hashes I dumped from the first box, onto the third box.  This gave me access and I was able to get the third flag.

I exploited 3 of the 5 boxes, and I ended up winning the tournament because no one else was able to exploit the two remaining boxes.  It was a really fun tournament, I learned some new tools/techniques, and it was a good time.

In short, I am really looking forward to it again next year.