Golden Tickets

The KRBTGT Account, every Active Directory Domain Controller is responsible for handling Kerberos Ticket requests, which are used to authenticate users and grant them access to computers and applications. The KRBTGT account is used to encrypt and sign all Kerberos tickets within a domain, and a domain controllers use the account password to decrypt Kerberos tickets for validation. This account password never changes, and the account name is the same in every domain, so it's a well-known target for attackers.

What's the risk?

Once an attacker compromises the KRBTGT account they can create forged Kerberos tickets (TGTs) which can be used to request TGS tickets for any service on any computer in the domain. But remember the hardest part of this attack is you need Administrator Access to the DC (Domain Controller), these attacks are hard to detect because they are valid TGTs.

For Demo purposes we have the KRBTGT Hash and a Shell with the user Mgarcia, if we enumerate the DC Directory we don't have access.

Now let us use the binary form of mimikatz as there is no way that I am familiar with that this technique will work straight from Covenant I move to a local CMD (you can also use RDP if available and probably PSRemoting), we will first need the SID of the User and the KRBTGT hash

We will copy everything but the last 4 digits as they identify the user and we want to replace that with a 500 SID user. In our previous attack DCSync we grabbed the KRBTGT hash so we can skip this, as the user had DCSync permissions it was easy to grab without compromising the DC.

And now we will use the command for mimikatz to grab and pass the ticket onto our current session.

Once we execute the command successfully, we can enumerate the C Drive from the DC.

As you can see now with the KRBTGT Account's NTLM Hash we can forge ticket to any user or create our own and give them the highest privileges on the Domain, this is a great method for persistence

Last updated