search
githubEdit

DCSync and Ticket Forgery

Techniques for after obtaining Domain Admin privileges.

hashtag
DCSync

Requires Domain Admin, Enterprise Admin, or DC computer account.

# Impersonate DA
make_token INLANEFREIGHT\bjohnson Passw0rd!

# DCSync krbtgt hash
dcsync inlanefreight.local INLANEFREIGHT\krbtgt

# DCSync computer account (include $)
dcsync inlanefreight.local INLANEFREIGHT\ilf-db-1$

hashtag
Ticket Forgery

hashtag
Silver Tickets

Forged service ticket using service's secret. Targets specific service on specific machine.

Use case: Maintain local admin access after initial compromise by forging CIFS tickets.

Parameters:

  • /service - Target service (e.g., cifs/hostname, MSSQLSvc/hostname:1433)

  • /aes256 - AES256 hash of target computer/service account

  • /user - Username to impersonate

  • /domain - FQDN of domain

  • /sid - Domain SID (without RID)

  • /id - User RID (default: 500)

  • /groups - Group RIDs (default: 520,512,513,519,518)

Inject and use:

Silver ticket for MSSQL (after Kerberoasting):

Note: Silver tickets can be mitigated by PAC validation. Ticket is signed with computer's secret instead of krbtgt, so KDC validation will fail.

hashtag
Golden Tickets

Forged TGT signed with krbtgt secret. Can impersonate any user to any service.

Parameters:

  • /aes256 - krbtgt AES256 hash

  • /user - Username to impersonate

  • /domain - Current domain

  • /sid - Current domain SID

Use golden ticket:

hashtag
Diamond Tickets

More OPSEC-safe than golden tickets. Requests legitimate TGT, decrypts it with krbtgt secret, modifies internals, re-encrypts and re-signs.

Parameters:

  • /tgtdeleg - Uses TGT delegation trick (no creds needed)

  • /krbkey - krbtgt AES256 hash

  • /ticketuser - User to impersonate

  • /ticketuserid - Impersonated user's RID

  • /domain - Current domain

  • /groups - Group RIDs (default: 520,512,513,519,518)

Use diamond ticket:

hashtag
DPAPI Backup Key

Domain backup key can decrypt DPAPI blobs for any user in the domain. Never automatically changed.

hashtag
Extract Backup Key (Requires DA)

Output:

hashtag
Decrypt Other Users' Credentials

With local admin on a machine, decrypt any user's saved credentials:

Note: /rpc method only works for current user's credentials. Use /pvk with backup key for other users.

hashtag
Quick Reference - Ticket Types

Ticket Type
Secret Required
Scope
OPSEC

Silver

Service/Computer hash

Single service

Medium

Golden

krbtgt hash

Entire domain

Lower (forged offline)

Diamond

krbtgt hash

Entire domain

Higher (modifies real TGT)

PreviousCredentialsNextEnumeration

Last updated