Attack Tutorial: How a Golden Ticket Attack Works

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we will be covering the golden ticket attack the golden ticket attack is a way to forge kerberos tickets by compromising the krb tgt account which is the kerberos service account responsible for generating and validating kerberos tickets within active directory so in order to accomplish the golden ticket attack there's a few pieces of information that you will need this is something that does require privileges to active directory in order to obtain and i'll show you how you get it so what we need is the information about what your domain is so that's the qualified domain name the domain sid and the krb tgt password hash the first two are easy the domain you should know what domain you're in if not that's very easy to discover but let's focus on how to get the domain sid i'm just going to show you who i am right now i'm logged into my domain as the user steve and all i need for the domain sid all this information here excluding that last set of numbers which is the red for the user i'm going to ignore that and just take that first part so that's the set that identifies the domain i'm in and then i need the krb tgt password hash that's the part that requires elevated rights to active directory you need to basically be a domain admin to get that i have set up my environment so i can use dc sync with this account and i have granted the permissions on the active directory domain object so all i need to do is launch mimikatz and run the dc sync command for the krb tgt account and always use a fully qualified domain name and there you go so you can see i've got the password hash right here i'm going to copy that [Music] and now we have everything we need to create a golden ticket so really quickly i'm going to show you with my user i don't have any privilege membership in any domain groups so if i try to do something like access the domain controller through an admin share you see i get access denied we're going to use a golden ticket to change that so i'm going to come back to mimikatz and i'm going to use the kerberos golden command and pass in the information we just obtained so my domain is the qualified name there my sid of the domain is right here my password hash we got there and then the other information whoops i'm going to pass in is the id of the user i want to create a ticket for i'm going to pass in the 500 uh red which will be the administrator account and then if you want to you can also specify the name of your user and you can do any name you want so now it's created a golden ticket and you can see it saved it as ticket.kirby and then i'm going to use this ticket right away with the kerberos past the ticket command and try spelling it correctly all right now it's loaded that ticket into memory and i can see that if i launch command prompt it still is going to think that i'm steve holt but this command is running with the elevated privileges of my golden ticket so now i can connect to my domain controller and you can see i can get on the domain controller i can get to everything there's the ntds dip file so i've complete domain level domain admin level access to a domain controller now and also the good thing about this is this ticket does not expire for many years so once you create this you can continue to reuse this over and over again it's a popular way for attackers to create persistence within the domain so they are very difficult to get rid of you can read the article on our site for more information about how to detect and prevent these types of attacks to find out more about attack strategies and how to defend against them go to netrix.com attack

Info

Channel: Netwrix

Views: 13,154

Rating: undefined out of 5

Keywords:

Id: v0xKYSkyI6Q

Channel Id: undefined

Length: 5min 14sec (314 seconds)

Published: Fri Jul 01 2022