search

Kerberos: Golden Tickets

Persistence and Privilege Escalation with Golden Kerberots tickets

This lab explores an attack on Active Directory Kerberos Authentication. To be more precise - an attack that forges Kerberos Ticket Granting Tickets (TGT) that are used to authenticate users with Kerberos. TGTs are used when requesting Ticket Granting Service (TGS) tickets, which means a forged TGT can get us any TGS ticket - hence it's golden.

This attack assumes a Domain Controller compromise where KRBTGT account hash will be extracted which is a requirement for a successful Golden Ticket attack.

hashtag
Execution

Extracting the krbtgt account's password NTLM hash:

attacker@victim-dc
mimikatz # lsadump::lsa /inject /name:krbtgt

Creating a forged golden ticket that automatically gets injected in current logon session's memory:

Checking if the ticket got created:

Opening another powershell console with low privileged account and trying to mount a c$ share of pc-mantvydas and dc-mantvydas - not surprisingly, returns access denied:

However, switching back to the console the attacker used to create the golden ticket (local admin) and again attempting to access c$ share of the domain controller - this time is a success:

hashtag
Observations

hashtag
References

Stealthbitsblog.stealthbits.comchevron-right
Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active DirectoryActive Directory & Azure AD/Entra ID Securitychevron-right
PreviousKerberoastingNextKerberos: Silver Tickets

Last updated