Golden ticket attacks remain one of the most feared techniques in Kerberos environments. By forging a TGT offline using the domain’s KRBTGT account hash, attackers can impersonate any user — even domain admins — with zero network interaction. In this post, we show how Pentest Copilot autonomously carries out this attack once it obtains the hash from a prior compromise.
After identifying a vulnerable domain (e.g., sevenkingdoms.local) and extracting the KRBTGT hash, Copilot constructs a vulnerability entity specifically for the Golden Ticket attack. This includes:
domain_name
krbtgt_hash
verified flag
Trigger mechanics for success validation
The goal? Generate a fully valid Kerberos Ticket Granting Ticket (TGT) that can be presented to any service.
The agent:
Generates a TGT using the stolen hash and domain SID.
Sets attributes like user: Administrator, groups: Domain Admins, and valid PAC fields.
Encrypts the ticket with RC4 or AES based on domain compatibility.
Injects the forged ticket locally and attempts to access resources.
Once the ticket is validated by the Key Distribution Center (KDC), the domain considers the agent an authenticated admin.
After injection, the agent queries for domain information. If successful, it stores the forged TGT as a Secret and marks the vulnerability as verified. It also links the ticket to the affected Domain entity, ensuring traceability.
With this TGT, the agent can now access any host, modify policies, dump credentials — or exfiltrate data — all under an administrator identity.