πŸ““
πŸ““
πŸ““
πŸ““
Red Team Notes 2.0
Search…
πŸ““
πŸ““
πŸ““
πŸ““
Red Team Notes 2.0
Introduction
Red Team
Red Team Techniques
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Active Directory
Active Directory
Active Directory Attacks
Kerberoasting
Unconstrained Delegation
Constrained Delegation
DCSync
Golden Tickets
Silver Tickets
Skeleton Keys
Active Directory Certificate Services
AS-REP Roasting
Red Team Infrastructure
RED TEAM INFRASTRUCTURE
Domain Name and Categorization
Reconnaissance
Weaponization
Delivery
Situational Awareness
Credential Dumping
Persistence
Defense Evasion
Privilege Escalation
Lateral Movement
Powered By GitBook
Golden Tickets
The KRBTGT Account, every Active Directory Domain Controller is responsible for handling Kerberos Ticket requests, which are used to authenticate users and grant them access to computers and applications. The KRBTGT account is used to encrypt and sign all Kerberos tickets within a domain, and a domain controllers use the account password to decrypt Kerberos tickets for validation. This account password never changes, and the account name is the same in every domain, so it's a well-known target for attackers.
What's the risk?
Once an attacker compromises the KRBTGT account they can create forged Kerberos tickets (TGTs) which can be used to request TGS tickets for any service on any computer in the domain. But remember the hardest part of this attack is you need Administrator Access to the DC (Domain Controller), these attacks are hard to detect because they are valid TGTs.
For Demo purposes we have the KRBTGT Hash and a Shell with the user Mgarcia, if we enumerate the DC Directory we don't have access.
Now let us use the binary form of mimikatz as there is no way that I am familiar with that this technique will work straight from Covenant I move to a local CMD (you can also use RDP if available and probably PSRemoting), we will first need the SID of the User and the KRBTGT hash
We will copy everything but the last 4 digits as they identify the user and we want to replace that with a 500 SID user. In our previous attack DCSync we grabbed the KRBTGT hash so we can skip this, as the user had DCSync permissions it was easy to grab without compromising the DC.
And now we will use the command for mimikatz to grab and pass the ticket onto our current session.
Once we execute the command successfully, we can enumerate the C Drive from the DC.
As you can see now with the KRBTGT Account's NTLM Hash we can forge ticket to any user or create our own and give them the highest privileges on the Domain, this is a great method for persistence
Previous
DCSync
Next
Silver Tickets
Last modified 1yr ago
Copy link