Golden Ticket Attacks
overview
Description
A Golden Ticket attack is a malicious cybersecurity attack in which a threat actor attempts to gain almost unlimited access to an organization’s domain (devices, files, domain controllers, etc.) by accessing user data stored in Microsoft Active Directory (AD). It exploits weaknesses in the Kerberos identity authentication protocol, which is used to access the AD, allowing an attacker to bypass normal authentication.
As an increasing number of companies shift both to the cloud and a remote-first setting, the attack surface has grown beyond the traditional perimeter, with employees logging into company systems using their own devices and networks. This in turn has increased the risk that attackers will be able to break into a network and use a Golden Ticket attack to gain access.
Reference: https://www.crowdstrike.com/cybersecurity-101/golden-ticket-attack/#:~:text=A%20Golden%20Ticket%20attack%20is,Microsoft%20Active%20Directory%20(AD).
Tasks
Lab Environment
In this lab environment, GUI access to Windows Server 2012 machine acts as your workstation. You are logged in with the Domain User account "Research/Student". This workstation has been configured with vulnerabilities linked to Golden Ticket attacks - a potent form of Kerberos manipulation, providing a real-world scenario to practice your cybersecurity skills.
Your task is to simulate a 'Golden Ticket' attack to exploit the Kerberos ticket-granting ticket (TGT). If executed successfully, you could gain extensive privileges and control over the Active Directory domain.
Objective: Simulate a Kerberos: Golden Ticket attack to generate a ticket-granting ticket, and escalate privileges to obtain domain controller access.
Below are the tasks that you need to perform:
Task 1: Extract Administrator's NTML Hash
Task 2: Execute Pass-the-Hash Attack
Task 3: Retrieve KRBTGT Account Hash
Task 4: Generate and Implement a Golden Ticket
Task 5: Validate Access to Domain Controller
Tools
The best tools for this lab are:
PowerView
Invoke-Mimikatz
Solution
Step 1: Open the lab link to access the following:
Workstation
What is Powerview?
PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various Windows "net *" commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.
Reference: https://powersploit.readthedocs.io/en/latest/Recon/#powerview
Task 1: Extract Administrator's NTML Hash
Step 1: Run Powershell as Local Administrator
To proceed with the attack, you need to ensure that you are running PowerShell as a local administrator. This ensures that you have the necessary permissions to execute the Invoke-Mimikatz commands.
Search Powershell and right-click to Run as administrator.
Click on Yes.
Now, we have a powershell which is running as the local administrator.
It seems like we have a directory called C:\Tools that contains the necessary tools for enumeration and exploitation.
Step 2: Change the directory to C:\Tools by running the following command.
Command:
The directory changed to C:\Tools.
Step 3: Enable execution policy bypass and import the PowerView module.
Command:
This command starts a new PowerShell session with the execution policy bypassed, allowing you to run scripts that may otherwise be blocked.
The dot is followed by a space and the script's path (.\PowerView.ps1) executes the script within the current PowerShell session. Ensure that the PowerView.ps1 script is located in the current directory (C:\Tools).
To kickstart our attack, we first need to extract the Administrator's NTML hash using the Invoke-Mimikatz tool.
Step 4: Import Mimikatz Module
Start by importing the Invoke-Mimikatz PowerShell module into your current session. This module includes multiple features to help manipulate and use hashes and tickets in Active Directory environments.
Command:
The command above is a dot-sourcing operation. Dot sourcing runs the script in the current scope. If any functions, aliases, or variables are defined in the script, they are available in the current scope.
Step 5: Verify Domain Controller Access
Before extracting the hash, check if you already have access to the domain controller. It's useful to verify this before proceeding with the attack.
Command:
This command is attempting to list the directory of the C drive on the domain controller at prod.research.security.local. If access is granted, you won't need to proceed with extracting the Administrator's NTML hash.
As you can see, access is denied, which means you need to move forward with the attack.
Step 6: Extract Admin NTML Hash
Invoke-Mimikatz has a feature that allows you to debug and extract login password hashes. Execute the following command to retrieve the NTML hash for the Administrator.
Command:
Note the Admin NTML Hash and SID i.e. 84398159ce4d01cfe10cf34d5dae3909 and S-1-5-21-1693200156-3137632808-1858025440 respectively.
The "privilege::debug" command enables debug privileges in the current session, while "sekurlsa::logonpasswords" extract credentials (including NTLM hashes) from memory.
Now that you've successfully retrieved the Administrator's NTML hash, you can move on to the next task, which is to perform a Pass-the-Hash attack.
Task 2: Execute Pass-the-Hash Attack
Now that we've successfully extracted the NTML hash of the administrator, we can use this information to authenticate ourselves as the administrator without needing their actual password. This technique is known as a Pass-the-Hash (PTH) attack.
Step 7: Performing the PTH Attack
To execute a Pass-the-Hash attack, you can use the Invoke-Mimikatz PowerShell module again.
Command:
In this command, you're using the "sekurlsa::pth" functionality of Mimikatz, which creates a new process with the supplied credentials (NTLM hash). This new process will have the same access privileges as the original user (Administrator in this case).
Task 3: Retrieve KRBTGT Account Hash
After successfully performing a Pass-the-Hash attack, the next step is to retrieve the hash of the krbtgt account. The krbtgt account is a service account that issues Kerberos Ticket Granting Tickets (TGTs) within an Active Directory environment.
Step 8: Extracting the krbtgt account's password NTLM hash
Now that we have the command prompt from the PTH attack, we will leverage that to retrieve the KRBTGT hash. For that, we will run Invoke Mimikatz module inside.
Use Invoke-Mimikatz again to dump the NTLM hashes from the Security Accounts Manager (SAM) database.
Command:
Command:
In this command, "lsadump::lsa" dumps the LSA secrets, and "/patch" makes Mimikatz patch the process to allow exporting secrets.
We have successfully extracted the krbtgt account's password NTLM hash i.e.0e3cab3ba66afddb664025d96a8dc4d2.
Task 4: Generate and Implement a Golden Ticket
The final step is to create a "Golden Ticket". This is a forged Ticket Granting Ticket (TGT) that can provide you with extensive privileges and control over the Active Directory domain.
Step 9: Creating a forged golden ticket
To generate a golden ticket, you need to use Invoke-Mimikatz again, but this time with different parameters.
Go back to the previous powershell terminal and enter the following:
Command:
In this command, "kerberos::golden" generates a golden ticket. "/user" is the user for whom the ticket is generated. "/domain" specifies the domain. "/sid" is the security identifier of the domain. "/krbtgt" is the NTLM hash of the krbtgt account. "/id" and "/groups" specify the user's RID and group membership. "/startoffset", "/endin", and "/renewmax" set the ticket's valid time, expiration time, and maximum renewable time. "/ptt" injects the ticket into the current session.
After executing the above steps, you should have gained extensive privileges and control over the Active Directory domain.
Task 5: Validate Access to Domain Controller
Step 10: Checking Kerberos Ticket Cache
To verify the presence of the TGS in the Kerberos ticket cache, execute the following command:
Command:
The command klist is used to display the tickets present in the Kerberos ticket cache. By executing this command, you can check if the TGS obtained in Step 5 is successfully stored in the ticket cache. The output will show the details of the TGS, including the service, expiration time, and session key information.
Step 11: Verify access to the domain controller.
Command:
The command dir \prod.research.security.local\c$ is used to perform a directory listing of the root directory (C drive) on the domain controller named prod.research.security.local.
By executing this command, you are attempting to access and list the contents of the root directory (C:) on the specified domain controller. The dir command is a shorthand for the Get-ChildItem cmdlet in PowerShell, which retrieves the items (files and folders) within a specified directory.
We can see we have access to C drive on the domain controller named prod.research.security.local.
Conclusion
In this lab, we successfully delved into the realm of Kerberos: Golden Ticket attack. Through a series of meticulously orchestrated steps, we were able to exploit vulnerabilities in the Active Directory environment, achieving an unauthorized elevation of access privileges.
References:
Last updated