What is a Golden Ticket attack?
As explained in my post on Kerberoasting, to access services within the domain the user must acquire a Ticket Granting Service ticket from the DC for the service they are requesting access to. The user then presents the TGS to the service and depending on their security level they are either permitted or denied access. The TGS contains the service hash that allows authentication without needing to know the service accounts credentials and without credentials being sent in clear text. Now. The kerberos service that issues these TGS tickets on the Domain Controller is the "krbtgt" service. So what if we have credentials for the krbtgt account? Thats right. We can issue our own TGS tickets for any service on the entire domain and gain access. Everything. Hence the name Golden Ticket.
Using Mimikatz to generate a Golden Ticket
"Mimikatz
is an open-source application that allows users to view and save
authentication credentials like Kerberos tickets. Benjamin Delpy
continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks." Mimikatz can be downloaded from https://github.com/gentilkiwi/mimikatz/wiki.
Being a post compromise attack this post assumes you have already gained remote access to the domain controller and uploaded Mimikatz to the system. The first command you should always run on mimikatz is "privilege::debug". Next we need some authentication details of the krbtgt account. We need the SID and the NTLM hash which we can pull down with: lsadump::lsa /inject /name:krbtgt
Using these authentication credentials we can generate a goldent ticket using the command:
kerberos::golden /User:Administrator /domain:pwnme.local /sid:S-1-5-21-1005202765-2145341796-1970445350 /krbtgt:4eee7449c5c6f03e7e7361d2f7e0a16d /id:500 /ptt
Note: The username can be anything you want. The user does not even need to exist. Id is the RID of the default administrator account and ptt stands for "Pass The Ticket" as once we have the golden ticket we simple pass this along with every request for authentication.
Something to note above is that it sais "For current session" so we need to open a new command prompt within the current session in order to pass the ticket with each command. Open a command prompt within the current session: "misc::cmd" . Now we have a command prompt that can access any and all machines, services, directories, credentials etc etc on the entire domain.
Accessing machines with psexec
No comments:
Post a Comment