Kerberos - Golden Ticket Attack

Navneet Singh
info@cloudmarix.ca
Abstract— Kerberos is network authentication protocol the ticket requests. KDC read the krbtgt hash to verify the
developed by MIT in the 1988 as a part of project Athena. user login, This means, A valid TGT ticket can be created if
Kerberos has been widely adopted by major operating system attacker obtained the the krbtgt hash. KDC trust the TGT
provider Microsoft Windows, Linux,Mac OS as single sign-on
containing following fields
authentication system in client-server architecture for clients
to access multiple open and distributed networks. Golden
ticket attack introduced by Benjamin Delpy in Blackhat 2014 ● Username
Conference held at Las Vegas, Usa has exploited the ● User Domain
vulnerability exist in Kerberos to gain the administrative ● Ticket Encryption Type
access on domain controller by creating and authenticating ● Logon Hours
with forged TGT tickets on the Domain Controller. With ● Group Membership (PAC - SIDs)
Golden Ticket attacker can lurk in the organization forever
even if all users password has been changed. This enabled attacker to create TGT with own specified time as
long as 10 years and assign any group membership.
This paper begin by describing the golden ticket attack
mechanism and section 2 discuss the detection of the forged 2: SIDs
tickets on windows event viewer and monitoring abnormal
activities on Active Directory and Domain Controller. The SID is Security identifier number given to each user in Access
third section suggest the recovery procedure after a successful Control Entry list by the domain controller. SIDs specify the
security breach made with Golden Ticket. Section 4 groups membership of authenticated user. Mimikatz can retrieve
recommended the mitigation strategies that helps to decrease the SIDs of the given username. This mean, Attacker can create
the risk level. TGT and assign administrator privileges by specifying the SIDs.

1. INTRODUCTION 3: Domain Controller Name

4: Target Domain Controller Account Username
The Golden Ticket attack first came into existence when a
security researcher Benjamin Delpy created a window security 1.1 Authenticating with Golden Ticket
audit tool now known as Mimikatz is able to dump stored
passwords and hashes stored in my memory by exploiting Then using pass the ticket attack Golden ticket sends directly to
windows LSASS ( Local Security Authority Subsystem Service ) the TGS for authentication skipping the AS REQ and AS REP
which used to enforce security policies in windows operating steps. KDC decrypts the ticket with krbtgt password hash. Krbtgt
system. It authunticate user credentials on logging into Windows password did not change in 99% cases even if operating system
Operating System, handles password changes, and creates access upgraded to newer version. Kerberos policy of checking if ticket is
tokens. Using the Mimikatz tool, the KRBTGT account password 20 minutes old is only applied when ticket lifetime expired or
hash can be exposed which enable attacker to create their own created from pre-auth data. Domain Controller recheck the user
forged TGT kerberos tickets encrypted by the KRBTGT hash and account when ticket expired in order to verify if user is valid and
using pass the ticket attack forged TGT ticket sent to KDC ( enabled. The forged ticket with 10 years of lifetime never expires
Application Server ) for authentication. and user session never logout. Furthermore TGS re-authentication
can be occurred in rare cases, But when it occurred, LSASS sends
There are four main things required to create a golden ticket. the Privilege Attribute Certificate Validation request to the Domain
controller netlogon service (using Netlogon Remote Protocol).
1. KRBTGT Account hash The following windows based operating systems are affected with
the Golden Ticket Attack.
At the time of Domain Controller installation, KRBTGT
account created by default into the Active Directory. Windows Server 2003 and higher
KRBTGT account password hash is used to encrypt, Windows Server 2008 and higher
decrypt and sign the tickets. The NTLM password hash Windows Server 2012 and higher
With Kerberos 5
used of Krbtgt RC4 based encryption. KDC ( Key
Distribution Center) runs on Domain Controller handles all
C. DETECTING FORGED TICKETS GUID is unique identifier that used to relate the event with KDC
event.
The Kerberos Golden ticket is an actual real ticket because it is
encrypted and signed with the same krbtgt password hash that used Key length indicates the length of the generated session key. This
by the KDC to create new tickets. KDC Service do not validate the will be 0 if no session key was requested.
user account until it is not expired, so it enable attacker to use the
accounts that don’t exist, disabled or deleted. Golden Ticket never Detection Before Windows Update
expires so attacker can lurk in the organization forever.
Microsoft has released patch for the golden ticket attack
Method 1: Using Event Viewer MS14-068. if patch is not installed or windows is not updated then
attempt to authenticate with forged ticket will be successful.
In order to detect such behavior, Windows Security Event can This can be detected if Security ID and Account Name in the
show all successful login occurred at domain with Event ID 4624. event log data data did not match even they should. In the given
it is created when a logon session starts. It contains following data sample of event log data the user name “Navi” used this exploit
to elevate privileges to “NYCRYPTO\Administrator” . Attacker
Sample Event Log Data of ID 4624 often use fictional username to create golden ticket to avoid any
kind of warning message or forced logout of the logged in user
Security ID: NVCRYPTO/Administrador from another workstation.
Account Name: // Navi
Account Domain: NVCRYPTO.LOCAL Detection After Windows Update
Logon ID: 0x46d51
After installing the Patch for Golden Ticket Attack or updating to
Logon Type: 3 the latest version of the OS, The attempt to authenticate with
forged tickets will show with Event ID 4769 as failure. The status
New Logon:
ID in event log data returned 0x1f this mean the KDC integrity
Security ID: SYSTEM
Account Name: navneet$
check or decryption of the ticket is failed.
Account Domain: Navi
Logon ID: 0x2b5a1cc Unfortunately, There is no 100% accurate way to detect use of
Logon GUID: {8d290146-94c0-cb12-53e0-fc3f3e7fa143} Golden Tickets on the domain controller using event log. The
error with failure id 0x1f occurred very rare but this might be
Process Information: worth investigating the golden ticket attack incidences.
Process ID: 0x0
Process Name: - Method 2: Monitoring Changes Made to AD and DC
Network Information: If abnormal activity and changes made to Active directory and
Workstation Name: OptimusPrime
Domain controller are detected then it can ensure that the attack is
Source Network Address: ::1
Source Port: 54076
underway. The following are recommendations for monitoring the
abnormal activity.
Detailed Authentication Information:
Logon Process: Kerberos Monitoring Changes to Active Directory
Authentication Package: Kerberos
Transited Services: - Detect changes in domain-wide operations master roles
Package Name (NTLM only): - Detect changes in trusts.
Key Length: 0 Detect changes in Group Policy Objects for the Domain container
Detect changes in Group Policy Objects assignments
The logon type field indicates the type of logon that occurred. The Detect changes in the membership of the built-in groups.
most common types are 2 for interactive and 3 for network. Detect changes in the audit policy settings for the domain.
Detect changes in service administrator accounts.
Monitor for large number of normal-sized objects.
The New Logon fields indicate the account name for whom the
new logon was created

The network fields indicate where a remote logon request

originated.

Monitoring Changes to Domain Controller

Monitor domain controllers for active status.

Monitor domain controllers for restarts.
Detect changes in domain controller system resources.
Update applications and operating systems
Detect changes in LDAP.
Limit the number and use of high privileged domain accounts
RECOVERING FROM GOLDEN TICKET ATTACK
CONCLUSIÓN
if Golden Ticket attack is confirmed , if there have been any
unauthorized modifications made by the attacker to the active After the golden ticket vulnerability, The design of the kerberos
directory and domain controller then authentication system has been questioned. Golden ticket attack
has created lot of recommendations for the new version of
1. Access the backup media for a domain controller kerberos. TGT needs to be improved and logonhours , user
2. Restore Active Directory database content membership in the request should not be trusted even if the
3. Reset all service administrator account passwords decryption return successful. KDC should verify the user after
4. Reset the KRBTGT password twice. certain amount of time based upon session timeline by ignoring
5. Change all Local and Domain user account passwords. the ticket expiry.
6. Review memberships in all service administrator groups.
7. Review installed software on all domain controllers and
service administrator workstations. REFERENCES
8. Review all group policy settings and logon scripts.
[1] S. M. Metev and V. P. Veiko, Laser Assisted Microtechnology,
2nd ed., R. M. Osgood, Jr., Ed. Berlin, Germany: Springer-
Golden Tickets can be created even if the incidence response team Verlag, 1998.
change the password of every local or domain user. Unless the
krbtgt password is not changed. The krbtgt password has to be
changed two times because it delete the old password hash history [2] A
in the Active Directory. There is a built-in fault tolerance to allow
for the previous password to still work to rehash the user password
in active directory when user login with password encrypted by the
old krbtgt password hash.

MITIGATION

The following are mitigation strategies can helps organization to

reduce the risk level

Krbtgt Password Rotation

Krbtgt password remain unchanged years for years, Microsoft

should enforce password rotation policy for the krbtgt account to
avoid such attacks.

Restrict high privileged domain accounts

Restrict administrator to login from any other computer than

domain controller.

High privileged accounts should not be able to access the Active

directory database ( ntds.dit ) file.

Additional Recommendations

Restrict and protect local accounts with administrative privileges

Restrict inbound traffic using the Windows Firewall