Domain Persistence: Golden Ticket Attack

Golden Ticket attack is a famous technique of impersonating users on an AD domain by abusing Kerberos authentication. As we all know Windows two famous authentications are NTLM and Kerberos in this article you will learn why this is known as persistence and how an attacker can exploit the weakness of AD.

Table of Content

  • AD Default Local Account
  • Kerberos Authentication Process
  • Forging Kerberos Tickets
  • Golden Ticket Attack
  • Golden Ticket Attack Walkthrough
    • Mimikatz
    • Impacket
    • exe
    • Metasploit
    • Empire
  • Hunting Event log Golden ticket
  • Mitigation

AD Default Local Account

Default local accounts are built-in accounts that are created automatically when a Windows Server domain controller is installed, and the domain is created. These default local accounts have counterparts in Active Directory

The default local accounts in the Users container include: Administrator, Guest, and KRBTGT. The HelpAssistant account is installed when a Remote Assistance session is established. The following sections describe the default local accounts and their use in Active Directory.

Kerberos Authentication Process

In the Active Directory domain, every domain controller runs a KDC (Kerberos Distribution Center) service that processes all requests for tickets to Kerberos. For Kerberos tickets, AD uses the KRBTGT account in the AD domain. KRBTGT is also the security principal name used by the KDC for a Windows Server domain

  • Legitimate User: Begins the communication for a service request.
  • Application Server: The server with the service the user wants to access.
  • Key Distribution Center (KDC): KBRTGT account acts as a service account for the Key Distribution Center (KDC) and separated into three parts: Database (db), Authentication Server (AS) and Ticket Granting Server (TGS).
  • Authentication Server (AS): Verify client authentication. If the logged user is authenticated successfully the AS issues a ticket called TGT.
  • Ticket Granting Ticket (TGT): confirms to other servers that user has been authenticated.
  • Ticket Granting Server (TGS): User request for TGS from the KDC that will be used to access the service of the application server.

Forging Kerberos Tickets

Forging Kerberos tickets depends on the password hash available to the attacker

  • Golden Tickets requires the KRBTGT password hash.
  • Silver ticket requires the Service Account (either the computer account or user account) password hash.

Golden Ticket Attack

Golden Tickets are forged Ticket-Granting Tickets (TGTs), also called authentication tickets,  As shown in the following image, attacker escape the 1st & 2nd Stage and initialise communication with KCD from 3rd stage. Since a Golden Ticket is a forged TGT, it is sent to the Domain Controller as part of the TGS-REQ to get a service ticket.

The TGT is used mainly to inform KDC’s domain controller that another domain controller has authenticated the users. The reality is that the TGT has the hash KRBTGT password encrypted and any KDC service inside the domain may decrypt to proves it is valid.

The requirements for forging TGT:

  • Domain Name
  • SID
  • Domain KRBTGT Account NTLM password hash
  • Impersonate user

If an intruder has access to an Active Directory forest/domain administrator/local administrator account, he/she can exploit Kerberos tickets for identity theft. A golden ticket attack is something that he/ he creates a ticket created by Kerberos that is valid for 10 years. However, if any other user has changed its password, the attacker may use the KRBTGT account to stay on the network. The attacker may also create accessible user/computer/service tickets from Kerberos for a non-existent Active Directory account.

Golden Ticket Attack Walkthrough

As we know, there is some basic requirement create a forge TGT i.e extract the “domain Name, SID, krbtgt Hash”, Once an attacker has admin access to a Domain Controller, the KRBTGT account password hashes can be extracted using Mimikatz.

  • Domain :local
  • sid: S-1-5-21-3523557010-2506964455-2614950430
  • krbtgt Hash: f3bc61e97fb14d18c42bcbf6c3a9055f
  • Impersonate User: Pavan (In My case)

Even though I have access to domain controller then also I cannot connect to the Application server using PsExce.exe as shown in the below image, now let us try this again, using forge TGT using Multiple Methods.

Mimikatz: Pass the Ticket

Mimikatz is available for Kerberos attack, it allows to create the forged ticket and simultaneously pass the TGT to KDC service to Get TSG and you will able to connect to Domain Server. This can be done by running both commands on cmd as administrator.

Above command will generate the ticket for impersonating user with RID 500.

As soon as you will run above commands you (attacker) will get a new cmd prompt which will allow to connect with domain server using PsExec.exe as shown in the below image.

Mimikatz: Generate the ticket

If you do not want to pass the ticket but want to create the forged ticket that you can use later because the TGT is valid for 10 years, you can execute below the command that generates the ticket in the form of the ticket.kirbi file.

Above command will generate the TGT key for impersonating user with RID 500.

So, whenever you want to access the Domain Server service, you can use the ticket.kirbi file. This can be done by executing the following commands:

And then repeat the above steps to access the service.

Impacket

Similarly, you can use impacket tool to get prerequisite for generating Forge Kerberos ticket, thus repeat the same step using the following command:

Here, we have used for lookupid python script to enumerate the Domain SID.

After then, used secretsdump.py the python script for extracting Krbtgt hash & domain name with the help of the following command:

Use ticketer.py script that will create TGT/TGS tickets from scratch or based on a template (legally requested from the KDC) allowing you to customize some of the parameters set inside the PAC_LOGON_INFO structure, in particular the groups, extrasids, etc. Tickets duration is fixed to 10 years from now.

Use ticket_converter.py script which will convert kirbi files into ccache file used by impacket.

Again, whenever you want to access the Domain server service you can use the ticket.kirbi file. And this can be done by executing the following commands as done in the above sections:

And then repeat the above step to access the service.

Rubeus.exe

Similarly, you can use Rubeus.exe which is an alternative option of mimikatz, Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpy’s Kekeo project (CC BY-NC-SA 4.0 license) and Vincent LE TOUX’s MakeMeEnterpriseAdmin project (GPL v3.0 license). Full credit goes to Benjamin and Vincent for working out the hard components of weaponization.

You can download it from here: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/Rubeus.exe

Here you need to provide application server credential and domain name in the following command to ptt (Pass the ticket).

Now run the use psexec64.exe on the same terminal to connect with the application server.

Metasploit: Kiwi

The TGT/TGS can be generated remotely using Metasploit, for you need to compromise victim’s machine who is a member of AD and then follow the below steps. Use kiwi to enumerate krbtgt hash & SID of the domain controller.

Collect the domain name and other required details of the network using the following command:

Now, use above enumerated information to generate Ticket use module:golden_ticket_create, it will store the ticket.kirbi on the desktop of my local machine.

Metasploit: Mimikatz Powershell Script

Similarly, you can use Powershell Script of Mimikatz to generate Ticket remotely for injecting in an application server or to store in form of kirbi format for future use. Now upload mimikatz powershell script to generate TGT and for this run given commands.

When you have all required information then generate forge Ticket with the help of the following command.

Above command will generate the Token for impersonating user with RID 500.

Once the attacker generates forge ticket, he/she can use this ticket in future to access the service of the application server by executing the following commands.

Similarly, if you want to inject Ticket at the time it is generated to access the application server within that moment, then you run the below command.

Powershell Empire

When it comes for generating TGT/TGS, the powershell empire is the most dangerous framework, because once you have compromise victim machine who is member of AD, then you can use the following module directly without admin privilege session.

This is a dynamic way to generate ticket because this module can be run without having admin privilege session and it will inject the ticket into the current session and the attacker can get direct access of the server.

Hunting Event log Golden ticket

When a bogus user account (one not in the AD Forest) is used with the RID of an existing AD account(Yashika). The bogus user here is “pavan” and has the groups set to the standard Golden

Ticket admin groups. an event log is generated for his logon activity and the event ID should be 4769, it will disclose the impersonate username and machine IP. 

In the normal, valid account logon events, the event data structure is:

  • Security ID: DOMAIN\AccountID
  • Account Name: AccountID
  • Account Domain: DOMAIN

Mitigation

  1. Reset the krbtgt account password/keys

Microsoft has released the script to reset the krbtgt account password/keys which were not possible earlier. This script will enable you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation.

You can download it from here. This script is applicable for the following Platform:

  1. Install endpoint protection to block attackers from loading modules like mimikatz & powershell scripts
  2. Limit privilege for Admin and Domain Administrator access.
  3. Alert on known behaviours that indicates Golden Ticket or other similar attacks.

Reference:

https://www.blackhat.com/docs/us-15/materials/us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection-wp.pdf

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn745899(v=ws.11)?redirectedfrom=MSDN#default-local-accounts-in-active-directory