Exploiting domain trusts (Kerberos Golden Ticket)

Resources

  1. DCSync attack

LogoDCSync Attack: Definition, Examples, and Prevention | ExtraHopwww.extrahop.com
Logodcsync | The Hacker Toolstools.thehacker.recipes

  1. Kerberos notes

LogoKerberos | Windowsjarrettgxz-sec.gitbook.io

Terminologies

  1. Kerberos Ticket Granting Ticket (KRBTGT)

  • The service account for the Key Distribution Center (KDC) service

  • This account is used to encrypt and sign all Kerberos tickets for the domain

  1. Golden ticket

  • A TGT is signed with the KRBTGT account's password hash

  • Thus, with access to this hash, we will be able to forge a TGT for any user of our choice

  • This ticket is known as a "Golden Ticket"

Overview

In this attack, we abuse the trusts between domains in a forest.

...

General overview of the Golden Ticket attack

Refer to the "Terminologies" section above for more details on the Golden Ticket.

In a Golden Ticket attack, an attacker who has obtained the KRBTGT account hash for a domain can forge their own Ticket Granting Ticket (TGT) for any user of their choice. This forged TGT, known as a Golden Ticket, is signed with the KRBTGT hash, making it appear valid to the domain’s Key Distribution Center (KDC).

This particular TGT can be used to request service tickets (TGS) for any service as the specified user, effectively gaining unrestricted access within the domain (eg. Administrator).

...

PreviousGroup Policy Objects (GPOs)NextTools

Last updated