Golden Ticket Attacks
Last updated
Last updated
A Golden Ticket attack is one of the most powerful types of attacks in a Kerberos-based authentication system, like those used in Active Directory (AD). In a Golden Ticket attack, an attacker compromises the krbtgt account (the Kerberos Ticket Granting Ticket service account) and forges a Kerberos Ticket Granting Ticket (TGT). This forged TGT allows the attacker to gain unrestricted access to all resources and systems within the domain.
Compromise the krbtgt Account:
The attacker first needs to obtain the NTLM hash of the krbtgt account, which is the Kerberos Ticket Granting Ticket (TGT) service account in an Active Directory (AD) domain. This can be done using tools like Mimikatz.
Using lsadump in Mimikatz, the attacker can dump the NTLM hash of the krbtgt account.
Forge a Golden Ticket:
With the NTLM hash and the SID of the domain, the attacker can create a Golden Ticket using the krbtgt account. The kerberos::golden command in Mimikatz is used to forge a TGT, which allows the attacker to impersonate any user, including an admin (e.g., admin).
Access Domain Resources:
Once the Golden Ticket is forged, the attacker has unrestricted access to the domain. Using tools like Impacket's cdm (Command Line Client) or PsExec, the attacker can interact with machines within the domain.
For example, using cdm, the attacker can access a remote machine (e.g., THEPUNSIER) and run commands, like viewing the contents of the C$ share:
This allows the attacker to see the contents of the C$ administrative share on the THEPUNSIER machine.
Using PsExec for Remote Command Execution:
if it The attacker can use PsExec to remotely execute commands on the compromised machine.
If PsExec is available on the target system, the attacker can execute a command like:
This will open a remote shell on the THEPUNSIER machine, allowing the attacker to execute commands as an administrator.
krbtgt user SID and NTLM hash
