Unfortunately, in the world of internal infrastructure, Golden Tickets aren’t fiction, they’re very real, very powerful and often far easier to forge than organisations would like to believe.
As Pen Test Manager at CybaVerse, one of the things we pride ourselves on is not just identifying vulnerabilities but following the chain. We don’t stop at 'there’s a weak hash' or 'NTLMv1 is enabled'. We ask:
“If I were a real attacker, how far could I take this?”
Recently, during an internal infrastructure assessment, that answer was: All the way to Domain Compromise with persistence.
During the engagement, there were numerous possible paths to compromise due to the volume of findings.
One particularly clean route involved:
The initial foothold came via Man-in-the-Middle attacks.
One of the captured hashes belonged to:
It was NTLMv1 and only eight characters long. The hash was cracked in minutes.
Figure 2 shows the obfuscated hash and cracked password
The account was a member of Domain Admins
Figure 3 shows the account is a member of the DA
Remote Desktop Protocol (RDP) access to the Domain Controller was available internally but protected with Multi Factor Authentication (MFA).
Figure 4 shows MFA
However, MFA on RDP does not protect every protocol. Using Impacket tooling, psexec.py was blocked, likely due to security controls, but wmiexec.py succeeded.
This resulted in command-line access to a Domain Controller.
Figure 5 shows CybaVerse on a DC
During enumeration, it was identified that the krbtgt password had not been changed for 5640 days.
The krbtgt account is the heart of Kerberos authentication in Active Directory. If an attacker obtains its hash, they can forge Kerberos tickets, impersonate any user and maintain persistence until the krbtgt password is properly rotated (twice).
Figure 6 shows the last change
With the Domain SID, krbtgt NTLM hash and domain name, an attacker can generate forged Ticket Granting Tickets (TGTs).
After performing DCSync and dumping the SAM, the krbtgt hash was obtained.
Figure 7 shows the SAM dump, including the krbtgt hash
A forged Kerberos ticket was then created and used to authenticate successfully to a Domain Controller.
At this point, even if the original compromised account password was changed, persistence remained.
Figure 8 shows that a Kerberos ticket is created for the user CybaVerse
Figure 9 shows a connection to a DC using the newly created ticket
Kerberoasting targets Service Principal Names (SPNs). Any authenticated domain user can request a service ticket, which is encrypted with the service account’s password hash. If weak, it can be cracked offline.
Combined with weak service account passwords and overprivileged accounts, this often becomes the steppingstone to full compromise.
1. Rotate the krbtgt account at least twice yearly (rotate twice in succession).
2. Disable NTLMv1 and enforce NTLMv2 only.
3. Use long, complex passwords or gMSA for service accounts.
4. Implement a tiered administration model.
5. Monitor for DCSync attempts and abnormal Kerberos activity.
Tools such as Ping Castle (https://www.pingcastle.com) can provide useful visibility into Active Directory risk.
However, automated tools do not chain misconfigurations, crack hashes, bypass controls or demonstrate real impact. Proper penetration testing simulates how an adversary would actually operate.
It’s worth noting that the environment was not actively monitored by a Managed Detection & Response (MDR) capability. With mature monitoring in place, particularly alerting DCSync behaviour, unusual Kerberos ticket lifetimes and anomalous administrative activity, the complexity of this attack chain would likely have increased significantly.
Security controls worked in places (MFA, Antivirus, etc), but without deep identity monitoring, Kerberos abuse often flies under the radar. Golden Tickets are powerful and notoriously difficult to detect without strong identity telemetry.
Golden Tickets are just one form of Kerberos ticket forgery.
Other variants include:
Each of these techniques manipulates Kerberos trust in slightly different ways. Some are noisier. Others are far more stealthy.
The common theme?
When identity controls are weak, Kerberos stops being an authentication method and starts being a persistence mechanism.
This wasn’t a single dramatic zero-day.
It was the accumulation of technical debt, weak credentials, legacy authentication, privilege sprawl and a krbtgt account untouched for over a decade that ultimately created a viable route to full domain compromise.
That’s exactly why security can’t exist in silos.
At CybaVerse, we don’t like to just run penetration tests and hand over reports. We strive to combine MDR, Pen Testing, Compliance and Incident Response into a single, scalable security platform that grows with you. Testing identifies the risk. Monitoring detects the abuse. Compliance drives governance. IR contains damage.
Because finding the Golden Ticket is one thing.
Making sure no one else can generate one in the first place, that’s the real objective.