Golden Ticket
Last updated
Last updated
Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket. Golden tickets enable adversaries to generate authentication material for any account in Active Directory.
Using a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.
The KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets. The KRBTGT password hash may be obtained using OS Credential Dumping and privileged access to a domain controller.
Example
As explained the most powerful account on the DC the KRBTGT Account this account is used to create TGT to any service in the Domain Controller, all that is needed (Easy to say) is to compromise the Domain Controller or use any other attack (DCSync) to grab the password hash of this account we can then use mimikatz to create and inject the Ticket to any service that is desired and this attack, is incredible for avoiding logs since these are legitimate TGTs.
Let's see this attack in action, after all the enumeration and all the hacking with all your setup you managed to get a shell on the DC (Domain Controller) and you grab a user, and this user has Administrator Access.
Here we continue with mimikatz and request the hashes for the KRBTGT user. We can see that there are old hashes and the most current one available for the user.
privilege::debug
lsadump::lsa /inject /name:krbtgt
On the Kali terminal you will need to make this a one-liner so that the mimkatz binary exits properly.
mimikatz.exe "privilege::debug" "lsadump::lsa /inject /name:krbtgt" exit
Continuing with the attack now we will request a Golden ticket and create a fake user this user will have total access to the DC and other machines, so from here the fake user created will have to permissions to list the folders of the domain controller. It makes no sense to do this attack since the DC and a high level user has been compromised but this is a great opportunity to avoid detection as these forged tickets are legitimate tickets created by the KRBTGT account.
mimikatz.exe "kerberos::golden /domain:dc1.dominioncyber.local /sid:S-1-5-21-4198639423-1025486511-2226459690 /rc4:a8bbd83cc1ded03f7db3b07d78e95036 /user:Youllnevercatchme /id:500 /ptt"
Let's confirm our assumptions.
We can list the DC directories and the user was authenticated to it as well, the Ticket is saved in the session and with mimikatz I used the msic::cmdcommand to prompt open a new cmd window with the session in memory this is also a great way to Privesc or to Maintain Persistence on a machine.