Active Directory walkthrough series: GOLDEN TICKET

Introduction

In this article series, we will look at the most famous ways that can be used to attack Active Directory and achieve persistence. This article will focus on Golden Ticket.

Note: Attacks discussed in this series have already been publicly disclosed on different forum. This series is for educational purposes only.

Assumption

We will assume that the target domain is already breached and that the attacker is now trying to pivot from the breached machine/host to gain higher privileges.

Lab setup

Domain controller: kidulala-dc.kidulala.local

Sponsorships Available

Sponsorships Available

Sponsorships Available

Domain user: KIDULALA/lala

Domain admin: KIDULALA/chotu

Kerberos authentication

To understand Golden Ticket, it is very important for us to understand how Kerberos authentication works. Let’s take a look.

Step 1: A user’s password is converted to an NTLM hash, and the timestamp is encrypted with this hash and sent to KDC. This step is often called AS-REQ (authentication server — request). Basically, the user is proving its identity to the ticket-granting server.

Step 2: Since the KDC has the NTLM hash of all users, it was able to decrypt the message retrieved in Step 1. After this, KDC grants a TGT (ticket-granting ticket) back to the user. This ticket is encrypted with a special user on the Domain Controller, known as krbtgt. This means that when the user receives the ticket, he cannot decrypt it, since the krbtgt hash is only on DC. This step is often called AS-REP (authentication server — response).

Step 3: In this step, the user asks for TGS (ticket-granting service); a ticket to access the actual service user is interested in. In this step, the user sends the TGT back to the KDC along with the requested TGS. This step is often called TGS-REQ (TGS request).

Step 4: In this step, KDC sends back the requested TGS, which (Read more...)