Windows Golden Ticket

👉 Overview

👀 What ?

Windows Golden Ticket is a type of attack that involves the creation of a Kerberos ticket granting ticket (TGT). This TGT is usually generated by the Key Distribution Center (KDC) in a Windows domain network, but in this type of attack, an adversary can create their own TGT, effectively granting them access to any resource on the network.

🧐 Why ?

Understanding the principles of the Windows Golden Ticket attack is crucial for both network administrators and cybersecurity professionals. For administrators, it can help identify potential weaknesses in their network's security. For cybersecurity professionals, it can aid in threat hunting and incident response. The attack exploits a critical aspect of the Windows Active Directory service, making it a severe threat to any organization using this service.

⛏️ How ?

To perform a Windows Golden Ticket attack, an adversary first needs to gain access to the krbtgt account hash. This can be done through various means, such as exploiting weak passwords or using malware. Once the hash is obtained, the attacker can use tools like Mimikatz to create a golden ticket. This ticket can then be loaded into the current session, granting the attacker access to any resource on the network.

⏳ When ?

The Windows Golden Ticket attack has been a known exploit since around 2014. It continues to be a relevant threat due to the widespread use of Windows Active Directory services.

⚙️ Technical Explanations

The Windows Golden Ticket attack is a sophisticated cyber threat that takes advantage of the Kerberos authentication protocol used by Windows Active Directory. This protocol involves a Key Distribution Center (KDC) issuing Ticket Granting Tickets (TGTs) to users, which are then used to authenticate against services on the network. The krbtgt account, created when a new domain is set up, is responsible for encrypting and signing all TGTs in the domain.

In a Golden Ticket attack, an adversary gains access to the krbtgt account hash. This hash is essentially a secret key that can be used to create valid TGTs. The attacker can obtain this hash through various methods, such as exploiting weak passwords, using malware, or leveraging other system vulnerabilities.

Once the attacker has the krbtgt account hash, they can use tools like Mimikatz to generate their own TGT, known as a Golden Ticket. The Golden Ticket effectively grants the attacker the same access rights as a legitimate user. This ticket is then loaded into the attacker's current session, granting them access to any resource on the network that accepts Kerberos authentication - typically, this means any resource within the domain.

The severity of this attack lies in its ability to bypass access controls and remain undetected. Since the TGT is valid throughout the domain, the attacker can access any resource, making it a severe threat to network security. In addition, as the Golden Ticket is created using a valid krbtgt account hash, it appears legitimate to most security tools, making detection challenging.

Mitigating this threat involves both proactive and reactive measures. On the proactive side, it's important to secure the krbtgt account with robust passwords and monitor for any suspicious activity. Reactively, if a compromise is detected, the remediation process typically involves resetting the krbtgt account password twice to invalidate any existing TGTs, including any Golden Tickets. However, this is a complex process that needs to be executed carefully to avoid disrupting the network.

To illustrate the Golden Ticket attack, we will walk through a hypothetical scenario. Please note that this is for educational purposes only and should not be used for malicious intent.

  1. Initial System Access: The attacker first needs to gain access to a system within the target network. This can be done through various means, such as phishing, exploiting vulnerabilities, or using stolen credentials. For example, the attacker might exploit a weak password on a low-level domain account using a tool like Hydra.

    hydra -l user -P passlist.txt targetIP smb

  2. Privilege Escalation: Once the attacker has system access, they need to escalate their privileges to gain domain administrator rights. One common method is to exploit unpatched vulnerabilities. For instance, using the EternalBlue exploit with Metasploit.

    use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS targetIP
exploit

  3. krbtgt Hash Extraction: With domain admin access, the attacker can now dump the hashes of all user accounts, including the krbtgt account. A tool like Mimikatz can be used for this purpose.

    mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords

    The output will contain a hash for the krbtgt account.

  4. Golden Ticket Creation: With the krbtgt hash, the attacker can now create a Golden Ticket. This can also be done with Mimikatz.

    mimikatz # kerberos::golden /user:Administrator /domain:targetDomain /sid:domainSID /krbtgt:krbtgtHash /ptt

    This command generates a Golden Ticket for the domain administrator account and loads it into the current session.

  5. Network Exploration: With the Golden Ticket, the attacker can now authenticate to any service that accepts Kerberos authentication. This might involve accessing file shares, databases, email servers, etc. The attacker appears as a legitimate user, making this activity hard to detect.

Remember, to mitigate this threat, it's crucial to use strong, unique passwords, regularly patch and update systems, limit domain admin privileges, and monitor for any suspicious network activity.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.