This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Golden Ticket
Golden Ticket

Version management

Difference between version and

At line 1 added 76 lines
!!! Overview
[{$pagename}] is a [Kerberos Forged Ticket] [Attack] and often is a [Advanced Persistent Threat] ([APT])
[{$pagename}] has a High [Attack Effort]
!! [{$pagename}] Outcome
After an [Attacker] hacks a system and then hacks to obtain [Local Administrative Accounts] [privileges], the tool can dump [Microsoft Windows] [credentials], like [LM hash] and [Kerberos] tickets, from memory and perform [pass-the-hash] and [pass-the-ticket] [attacks].
If the [attacker] is to gain full [Local Administrative Accounts] [privileges] on a Windows [Domain Controller] this feature allows creating a special [Kerberos] [TGT] ticket ([{$pagename}]) which has the following properties: 3
* provides a method to arbitrarily generate [Kerberos] [TGT] tickets for any user of the target domain. Therefore, it can be used to [impersonate|Impersonation] anybody, Domain Administrators accounts are the most interesting but potentially any legitimate user can be impersonated;
* can be created off-line. Therefore, one does not need to be connected to the domain once you have collected all the data required to create the ticket (see next section);
* is valid for an arbitrary lifetime, Mimikatz default is 10 years or until a Domain Administrator resets the Kerberos key used to generate the [TGT]. This is the current setting implemented by [Mimikatz] but it should be possible to create tickets of any lifetime at anytime (arbitrary start, renewal and end time is possible);
* [Kerberos] lifetime policy (default renewal lifetime 10h and total lifetime is 7 days) does not have any impact on the [{$pagename}]. Indeed, [KDC] validates [TGT] tickets based on the lifetime settings embedded in the protected core of the ticket and not on the policy set on the Domain Controller. Nevertheless, even if such control is in place, it cannot be used to block golden tickets. The [attacker] can generate any ticket with the appropriate lifetime in line with the local policy and so bypass the control;
* can be replayed with [pass-the-ticket] [attack] technique. This will allow the [attacker] accessing other [resources] available to the impersonated user;
* as any [pass-the-ticket], there is no need of [privilege] access to replay and use the golden ticket;
* [Password Reset] of the impersonated account does not make the [{$pagename}] invalid;
* resetting the [Kerberos] secret key __does__ make all [{$pagename}] invalid.
* Windows event logs does not distinguish the use of legitimate [TGT] ticket versus a [{$pagename}], so there is no universal rule to detect the use of a [{$pagename}];
!! [{$pagename}] [How To] [2]
The easiest way to obtain the information you'll need is to run [Mimikatz] 2.0 on a [Domain Controller] for the [AD DOMAIN] you wish to compromise.
[Mimikatz] includes a new feature called [{$pagename}].
[{$pagename}] [Attack] requires the [Attacker] to have the following pieces of information available:
* The target domain name (e.g. vln2012.local).
* The [SID] of the target domain (this should be present in the output from the lsadump::lsa command — it's S-1-5-21-3871786346-2057636518-1625323419 in the example output above, or you can just strip the rightmost number off of a user [SID] from the domain).
* The name of the user account to impersonate (e.g. Administrator).
* The [RID] of the user account to impersonate. The [RID] is the rightmost number in a full [SID]. For example, the [RID] for the built-in Administrator account is 500.
* The [RIDs] of the groups that that account should be a member of. The RID is the rightmost number in a full SID. For example, the RIDs for Domain Users and Domain Admins would be 512 and 513.
* One or more of the [KRBTGT] [encryption] keys
The easiest way to obtain the information you'll need is to run [Mimikatz] 2.0 on a [Domain Controller] for the [AD DOMAIN] you wish to compromise.
As of this writing, there are three [encryption] keys may be used for the [{$pagename}] functionality:
* the RC4 key (which is the [NTLM] hash for the account)
* the [AES]-128 [HMAC] key
* [AES]-256 [HMAC] key
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Detecting Forged Kerberos Ticket|https://adsecurity.org/?p=1515|target='_blank'] - based on information obtained 2017-06-21-
* [#2] - [Mimikatz 2.0 - Golden Ticket Walkthrough|https://www.beneaththewaves.net/Projects/Mimikatz_20_-_Golden_Ticket_Walkthrough.html|target='_blank'] - based on information obtained 2017-08-17
* [#3] - [OMPLETE DOMAIN COMPROMISE WITH GOLDEN TICKETS|https://blog.stealthbits.com/complete-domain-compromise-with-golden-tickets/|target='_blank'] - based on information obtained 2018-12-03-
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop