Golden Ticket Heist: Stealing the Keys to the Kingdom

Golden Ticket Attack:

Imagine the “Golden Ticket” from Willy Wonka’s chocolate factory, but instead of granting access to a candy wonderland, it grants unrestricted access to an entire computer network. A golden ticket attack aims to achieve just that. It takes advantage of a flaw in the Windows networks' Kerberos authentication protocol to obtain administrator rights and control over any domain resource.

How it works:

1. Gain Initial Access: The attacker needs some initial foothold into the network, typically through phishing or exploiting unpatched vulnerabilities.
2. Steal NTLM Hash: Once inside, they target a compromised account with administrator privileges and steal its NTLM hash, which is a one-way encryption of the account password.
3. Forge Golden Ticket: Using the NTLM hash, the attacker crafts a fake Kerberos ticket, essentially mimicking the administrator account. This forged ticket, the “Golden Ticket,” grants them the same elevated privileges as the real administrator.
4. Dominate the Domain: With the Golden Ticket, the attacker can access any resource, steal sensitive data, install malware, and disrupt operations.

Lab work:

Log in to the Active directory and open the cmd. First, you must download Mimikatz and save it in the download folder. You need to run mimikatz.exe and type

Type: privilege::debug

Windows implements various security measures to protect sensitive processes and memory regions. To circumvent these restrictions and gain the necessary access, Mimikatz leverages the “debug” privilege, which grants it broader permissions to inspect and interact with system processes.

Type: lsadump::lsa /inject /name:krbtgt

The primary purpose of this command is to extract the password hash (or NTLM hash) of the “krbtgt” account from LSASS memory. This hash is a cryptographic representation of the account’s password and can be used in various attacks, including:

• Golden Ticket attacks: These attacks can forge Kerberos tickets to gain persistent, undetectable access to an entire Active Directory domain.
• Pass-the-hash attacks: These attacks can use the hash to authenticate to other systems without knowing the actual password.

Open up a notepad and save the SID of the domain. You need the NTLM hash of the primary account.

Type: Kerberos::golden /user:Administrator /domain:marvel.local /sid: /krbtgt: ntlm hash /id:500 /ptt

Here’s a breakdown of the command Kerberos::golden /user:Administrator /domain:marvel.local /sid: /krbtgt: ntlm hash /id:500 and its potential purpose:

Purpose:

• This command is used to create a forged Kerberos ticket, often referred to as a “Golden Ticket,” within a Windows Active Directory domain. Golden Tickets grant attackers persistent, undetectable, and highly privileged access to the domain.

Breakdown of Parameters:

• Kerberos::goldenInvokes the Mimikatz module responsible for creating golden tickets.
• /user:AdministratorSpecifies the user account to impersonate within the Golden Ticket. In this case, the "Administrator" account grants full administrative privileges.
• /domain:marvel.localIdentifies the target domain where the Golden Ticket will be used.
• /sid:: (Missing SID Value) This parameter should provide the security identifier (SID) of the domain, but it's currently missing in the command.
• /krbtgt: ntlm hashSupplies the NTLM hash of the "krbtgt" account, the domain's Kerberos Key Distribution Center account. This hash is crucial for forging valid Golden Tickets.
• /id:500Sets the relative identifier (RID) of the user account within the Golden Ticket, often 500 for the "Administrator" account.

Potential Attacker Goals:

• Persistent Domain Access: Once a Golden Ticket is created, attackers can use it to authenticate to any domain resource without restriction, even if passwords are changed or accounts are disabled.
• Elevated Privileges: The Golden Ticket grants them full administrative privileges within the domain, enabling them to perform actions like:
• Installing malware
• Stealing sensitive data
• Modifying system configurations
• Creating new accounts
• Covering their tracks

Once the golden ticket is successfully submitted, type misc::cmd. After you type cmd, it will open another cmd window, and there you can type:

dir \\THEPUNISHER\C$

We just sent a directory to Punisher from our machine. We can take this further. If we have psexec, then we can use it to get the shell of the system.

Mitigation Strategies:

Here are some mitigation strategies you can discuss:

• Patching: Regularly update Windows systems and software to address vulnerabilities that attackers exploit.
• Strong Passwords: Implement strong and unique passwords for all accounts, especially administrator accounts.
• Multi-Factor Authentication (MFA): Implement MFA as an additional layer of security to prevent unauthorized access, even with stolen credentials.
• Account Monitoring: Monitor privileged accounts for suspicious activity and investigate any anomalies promptly.
• Network Segmentation: Segment your network to limit the attacker’s reach, even if they compromise a single part.