Mimikatz: The Hunt for the Golden Ticket
A TGT (Ticket Granting Ticket) is a type of Kerberos ticket that allows a user to access any service in a domain. It is issued by a Domain Controller (DC) to a user who has successfully authenticated to the domain. The TGT is encrypted with the NTLM hash of the krbtgt AD account, which is a special account that is used to create TGTs.
The NTLM hash of the krbtgt account can be obtained from the lsass process or the NTDS.dit file of any DC in the domain. The lsass process is a system process that stores information about logged-on users, including their credentials. The NTDS.dit file is a database file that contains information about all the objects in the domain, including user accounts and passwords.
Silver Tickets
A silver ticket is a TGS (Ticket Granting Service) that has been forged using the NTLM hash of a user account, service account, or computer account. Like a TGT, a silver ticket allows access to any service in the domain as the impersonated account. Silver tickets can be created using Mimikatz (which can be found here) with the following command:
kerberos::ptt <output_file>.kirbi
To create a silver ticket for a specific service, the /service parameter can be used. For example, to create a silver ticket for the cifs service:
kerberos::ptt /service:cifs <output_file>.kirbi
Gold Tickets
A gold ticket is a TGT (Ticket Granting Ticket) that has been forged using the NTLM hash of the krbtgt AD account. Gold tickets allow access to any service in the domain as the impersonated user, which means that the user can access resources and perform actions as if they were logged in as that user. Gold tickets can be useful for bypassing access controls and performing unauthorized actions in a domain.
To obtain a gold ticket, an attacker must first obtain the NTLM hash of the krbtgt account, as described in the previous section. Once the NTLM hash has been obtained, it can be used to forge a gold ticket using tools such as Mimikatz or Impacket.
With Mimikatz, the following command can be used to create a gold ticket:
kerberos::golden /user:<username> /domain:<domain_name> /sid:<domain_sid> /krbtgt:<ntlm_hash> /ticket:<output_file>.kirbi
For example:
kerberos::golden /user:Administrator /domain:thesentinel.black
It is also possible and preferable from an operational security (opsec) perspective to forge tickets using AES Kerberos keys. With Mimikatz, the following command can be used to create a gold ticket using an AES key:
kerberos::golden /user:<username> /domain:<domain_name> /sid:<domain_sid> /aes256:<aes_key> /ticket:<output_file>.kirbi
For example:
kerberos::golden /user:Administrator /domain:thesentinel.black /sid:S-1-5-21-1874506631-3219952063-538504511 /aes256:430b2fdb13cc820d73ecf123dddd4c9d76425d4c2156b89ac551efb9d591a439 /ticket:golden.kirbi
Once a gold ticket has been forged, it can be used to access any service in the domain as the impersonated user. This can include accessing shared files, executing services, and using Windows Management Instrumentation (WMI). Tools such as psexec or wmiexec can be used to obtain a shell on a target machine using the gold ticket.
Diamond Tickets
A diamond ticket is a TGT that has been created using a different method than a gold ticket. Like a gold ticket, a diamond ticket allows access to any service in the domain as the impersonated user. Diamond tickets can be created using Mimikatz with the following command:
kerberos::golden /user:<username> /domain:<domain_name> /sid:<domain_sid> /ticket:<output_file>.kirbi
For example:
kerberos::golden /user:Administrator /domain:thesentinel.black /sid:S-1-5-21-1874506631-3219952063-538504511 /ticket:diamond.kirbi
It should be noted that, like gold tickets, diamond tickets are forged offline and encrypted with the krbtgt hash of the domain. However, they are created using a different method, which can be used to bypass detection. Because domain controllers do not track TGTs that they have legitimately issued, they will also accept diamond tickets that are encrypted with their own krbtgt hash. This can be used to bypass detection, as the TGT's lifetime is not logged in event logs and there is no record of a TGT being issued. However, it is possible to detect the use of a forged TGT by correlating 4769 events (TGS requests) without a prior 4768 event (TGT issuance).
Lateral Movement
Once a TGT has been forged, it can be used to access any service in the domain as the impersonated user. For example, an attacker could use a forged TGT to access shared files on a target machine. To do this, the attacker could use the Windows net use command, followed by the target machine's IP address and shared folder path:
net use \\<target_machine_ip>\<shared_folder_path>
Alternatively, the attacker could use the Windows psexec command to execute commands on the target machine using the following command:
psexec \\<target_machine_ip> -u <username> -p <password> cmd
In addition to accessing shared files and executing commands, a forged TGT can also be used to access other services in the domain. For instance, the attacker could use the TGT to access the Windows Management Instrumentation (WMI) service on the target machine. To do this, the attacker could use the Windows wmic command:
wmic /node:""<target_machine_ip>"" /user:""<username>"" /password:""<password>"" process call create ""cmd.exe""
It is important to note that TGTs are not logged in the Windows event logs, so they can be difficult to detect. This makes it easier for an attacker to use a forged TGT for lateral movement without being detected.
Conclusion
Using a forged TGT for lateral movement can be a powerful tool for an attacker, but it is also risky as it may be detected by security measures such as network monitoring or intrusion detection systems. To minimize the risk of detection, it may be advisable to limit the use of the TGT to specific services or to use a TGT with a shorter lifetime. For example, an attacker could use the following command to create a TGT with a lifetime of one hour:
kerberos::golden /user:<username> /domain:<domain_name> /sid:<domain_sid> /krbtgt:<ntlm_hash> /startoffset:0 /endin:60 /ticket:<output_file>.kirbi
This creates a TGT that is valid for one hour, after which it will expire and can no longer be used. By limiting the lifetime of the TGT, the attacker can reduce the risk of detection and make it more difficult for security measures to identify the attack.