Golden Ticket attacks

Carrying on from my previous blog post, we have compromised a domain controller and are now running as the administrator user. From here we want to gain a level of persistence on the domain, we can do this by crafting Golden-Tickets. With one of these we can create other users, make them domain admins and even remote to other computers and servers around the network if we know their FQDN or IP addresses.

The first thing we need to do and should be able to do with our current user privileges, is get Mimikatz on the machine. We will be using Mimikatz to view and steal credentials and account hashes stored in memory to be able to generate Kerberos tickets and leverage other attacks.

We want to run Mimikatz and then use the module privilege with debug.

privilege::debug 

This will give us the appropriate permissions to run further modules such as sekurlsa within Mimikatz. The debug option allows us to debug a process that we would not otherwise have access to, we'll be able to dump information from memory and to do so we need to be able to debug processes and bypass protections.

Before we move right into attacking the krbtgt account, we can run a few commands to see who has logged into the domain controller since it's last reboot. As NTLM hashes are stored in memory, we can dump them all, including the domain admin 'Master' account. Highlighted below we have the wdigest which in older versions of windows was used to store plaintext passwords which has now been disabled and set to null. A quick attack we could perform is to enable this feature and wait for a user to log into the domain controller and we would then have a plaintext password for that user.

sekurlsa::logonpasswords

Through Mimikatz, we can also dump the LSA (local security authority) which is a protected sub system in windows authentication which authenticates and creates logon sessions to a local computer. This is actually the first step in performing a Golden Ticket attack as we can see the NTLM hash below for the krbtgt account

lsadump::lsa /patch

Generating the Golden Ticket

We know we need to attack the krbtgt account, but we haven't really explained why?

The Krbtgt account is the Kerberos ticket granting account, if we can obtain a hash for this account we can then generate ticket granting tickets. We can then use this ticket to request tickets to access any resource on the domain. We could also generate a Golden Ticket to then have complete access over the domain and remote into any machine.

Instead of dumping all of the hashes, we can alter our lsadump syntax to just dump the hashes for the krbtgt account only with addiontial information we need to generate a Golden Ticket.

lsadump::lsa /inject /name:krbtgt

The first piece of information we need is the SID of the domain.

S-1-5-21-4019699829-3312747314-3805498247

We also need the NTLM hash of the krbtgt account.

0233c211aa5e050a7898c76e382a08c3

We then use the following command to generate the Golden Ticket:

kerberos::golden /user:administrator /domain:marvel.local /sid:S-1-5-21-4019699829-3312747314-3805498247 /krbtgt:0233c211aa5e050a7898c76e382a08c3 /id:500 /ptt

We use a user named administrator for the sake of naming conventions, however this could be any username we choose. An id of 500 is the RID of the administrator account which is 500 and ptt stands for Pass The Hash. We generate the ticket and we then pass it to the next session to open a command prompt using this session.

The below command will open a CMD command prompt using the session and new ticket we just created.

misc::cmd

From this new command prompt we are able to UNC to any machine on the domain and list the C$ directory. But we can take this further, we can get a shell on these machines.

We download psexec.exe onto the domain controller and run it via our new CMD command prompt to access and get a shell on the machines on the domain. Psexec is part of the Sysinternals suite and allows for IT administrators to launch interactive command prompts and run as local system on remote computers. This is a pretty powerful tool!

Psexec.exe \\thepunisher cmd.exe

Psexec.exe \\spiderman cmd.exe

A golden ticket can be thought of as persistence, where we can create other users and make them a domain admin or even create other computers. This may get picked up, adding users to a domain and to domain admins will surely raise some alarms, so we could just use a golden ticket to remote around the network and access any resources we want with some level of stealthiness.

Congratulations, we have now generated a Golden Ticket which can be used to access any machine and resource on the domain. From here, we could potentially add some back door users, access backup or application servers or just snoop around the network and exfiltrate information.

In the next few blog posts to come, I will be covering other Active Directory attacks such token impersonation and kerberoating.