Today I bring you a very simple tutorial that many people have been asking me for.
It’s about attacking Kerberos tickets, both golden and silver.
First, to understand what Kerberos is, visit my post that talks about Kerberos
Requirements:
- Domain Controller – A domain to perform the tests
- Kali Linux – A Kali Linux machine
Responsibility:
In this tutorial, we will use hacking techniques for educational purposes only. We do not promote their use for profit or improper purposes. We are not responsible for any damage or harm that may be caused to the systems used. The user of this tutorial is solely responsible.
Knowledge:
- Linux – High
- Programming – Low
- Kali Linux – High
- Windows – Very high
- Networking – Medium
Overall tutorial level: Very high
Ideal for: Systems engineers, security engineers, pentesters
Golden ticket attacks are post-exploitation attacks. They provide the attacker with unrestricted access to the domain. Because the attacker controls the KDC that is responsible for issuing ticket-granting tickets (TGTs), they then have the golden ticket to access any resource in the domain.
To impersonate the KRBTGT account, we need the NTLM hash of the krbtgt account and the SID of the domain to which it belongs.
We will use mimikatz to dump the password hash and SID (Security Identifier) to generate a golden ticket, and then we will use the Pass The Ticket attack to obtain a privileged session.
The Silver Ticket Attack
As with the Golden Ticket attack, the key difference is that we forge a TGS ticket to access a specific service rather than all resources in the domain. TGS tickets are encrypted with the service password hash—therefore, if an attacker steals the hash of a service account, they can obtain TGS tickets to access that service.
An attacker forges the TGS ticket using the service account password hash. No intermediary TGT (Ticket Granting Ticket) is needed. This means that Silver Ticket attacks can be created without any communication with a Domain Controller, making them more stealthy.
Golden/Silver Attack in Action
Run mimikatz and use the following command to dump the NTLM hash and SID to create the golden ticket. To create a silver ticket, we need to change the /name: to dump the hash of a domain administrator account or a service account such as the SQLService account.
The mimikatz LSA module interacts with the Windows Local Security Authority (LSA) to extract credentials.
- /inject — Inject LSASS to extract credentials
- /name — account name for target user account
- lsadump:lsa — LSA Server to retrieve SAM/AD (database that stores passwords)
Command: lsadump::lsa /inject /name:krbtgt
The highlighted text is the domain SID, and in the primary section we can see the NTLM hash.
Command: kerberos::golden /user:Administrator /domain:controller.local /sid: /krbtgt: /id:
- kerberos::golden — create gold/silver tickets
- /domain — domain name.
- /sid — the domain SID
- /user — username to impersonate
- /krbtgt — NTLM password hash for the domain KDC service account (KRBTGT).
- /id (optional) — user RID. The default value for Mimikatz is 500
The above command is for creating a golden ticket. To create a silver ticket, we can simply put a service NTLM hash in the krbtgt slot and change the service account sid in sid.
Command: misc::cmd
Once the ticket has been generated and saved, we can use the above command, which will open a new cmd with privileges for the ticket we have just generated, allowing us to access the resources according to our needs.
I hope you like it and find it useful.
