Description
Forges a Diamond Ticket by modifying a legitimate TGT obtained from the KDC.
Overview
Forges a Diamond Ticket by requesting a legitimate TGT from the KDC and then modifying the PAC to include arbitrary group memberships. This is stealthier than a Golden Ticket because the ticket was originally issued by a real KDC.
Arguments
| Parameter | Type | Description |
|---|---|---|
| User | string | The username to authenticate as. |
| Domain | string | The target domain. |
| Password | string | The plaintext password. |
| RC4 | string | The RC4/NTLM hash. |
| AES256 | string | The AES256 key. |
| DC | string | The domain controller to target. |
| KrbKey | string | The krbtgt key to decrypt and re-encrypt the PAC. |
| TicketUser | string | The username to set in the modified PAC. |
| Groups | string | Comma-separated group RIDs for the modified PAC. |
| Ptt | switch | Pass the ticket into the current session. |
| TgtDeleg | switch | Use TGT delegation trick instead of credentials. |
Additional Parameters
- Certificate: Certificate for PKINIT.
- EncType: Encryption type.
- TicketUserID: User RID for modified PAC.
- AdditionalSIDs: Extra SIDs for the PAC.
Dependencies
- AD
Operating Systems
- Windows