| description |
|---|
God-Mode Activated |
This will cover how they work and how to defend against them.
A successful Golden Ticket attack will give the attacker access to an organization's entire Active Directory domain. This includes access to all computers, files, folders, shares, and Domain Controllers. The attacker can impersonate anyone.
The Golden Ticket attack stems from a vulnerability in Kerberos.
When a user authenticates to use services or access file servers they do not authenticate directly through themselves. Instead, the Kerberos Key Distribution Center (KDC) functions as a trusted authentication service. Every Domain Controller in an AD domain runs a KDC service.
At the time of authentication, the KDC will issue a Ticket Granting Ticket (TGT), which will include a unique key when the user needs access to resources. Before sending a TGT, the KDC encrypts it using the password hash for a special account which is the KRBTGT account.
- TGT's are always encrypted with the KRBTGT password hash
Attackers can bypass the KDC and create TGT's at will in order to get access to anything desired.
In order to do this, you need the following:
- The FQDN of the domain
- The SID of the domain
- The username of the account to be impersonated
- The KRBTGT password hash
How do you get the KRBTGT hash? You can do this in a couple ways:
- Stealing the NTDS.DIT file: This file is a database that stores all AD data that includes the password hashes for all users in the domain. This file is stored in C:\Windows\NTDS\NTDS.DIT
- Compromising a workstation: Gain a foothold on a domain endpoint and you can attempt to find valid credentials in memory or on the disk for use.
- Mimikatz: This is a powerful tool that allows an attacker to steal credentials from Windows systems.
- DCSync Attack: This is an attack where a user can have DCSync permissions and you can pretend to be a DC and request password hashes from a legitimate DC. This can also be done with Mimikatz.
If you obtain the KRBTGT hash, you can do anything you want, it is indeed a Golden Ticket.
- Change the KRBTGT password regularly.
- Secure Technical Implementation Guide (STIG) recommends changing it every 180 days.
- Apply Principle of Least Privilege (PoLP) in your domain. Ensure that you are minimizing the number of accounts that can access the KRBTGT hash.