Golden Ticket Attack – krbtgt

Golden Ticket Attack – krbtgt

August 29, 2021 Active Directory AD Security 1

Golden Ticket Attack – Kerberos ticket that is manually created by an attacker after gaining access to your environment. Compromising KRBTGT account and gain the access from NTLM hash of the KRBTGT account. Attacker can able to impersonate authentication. Including Domain Admin. Even if Domain Admin account is terminated, but users able to use a ticket that was generated.

Silver Ticket by cracking a computer account password and using that to create a fake authentication ticket. Kerberos allows services to log in without double-checking that their token is actually valid, which attacker have exploited to create Silver Tickets.

Here, we are going to discuss more on Golden Ticket

The KRBTGT account is a default account that acts as a service account for the Key Distribution Center (KDC) service. You must reset the password twice because the KRBTGT account stores only two of the most recent passwords in the password history. By resetting the password twice, you effectively clear all passwords from the password history.

How to Secure your Infrastructure?

  • Ensure a least Privilege Model
  • Use Separate Privilege Admin account apart from Regular Account
  • Restrict the Email & Internet access for the sensitive Privilege admin accounts
  • Ensure Endpoint Protection to block attackers from loading modules [attacking tools]
  • Add another layer of protection to access the Domain Controllers
  • Create a Jump Server that can only access to the Domain Controllers
  • Configure the Domain Controllers to only accept administrative connections from that Jump Server
  • Do not delegate the privilege account

 

 

 

 

 

 

 

 

 

  • Restrict the Domain & Enterprise Admin to Login on Workstation or Servers [apart from Tier-0 Server’s]
  • Limit the Administrator, Domain & Enterprise Administrator access & membership

  • Validate privileged users accounts who’s having Domain Admin or Replicating Directory Changes permissions.

What to do if KRBTGT already compromised?

As a Domain Administrator suspecting if Domain/KRBTGT is compromise then secure from the network. It’s not easy as restore the OS as attack of the Service which most probability replicated to all other Domain Controllers.

Reset the KRBTGT account password & Renew the root CA certificate with a New Key and also immediately invalidate the old key which is issued by your CA, which will be impacted the all Kerberos operations.

All AD User & Computer accounts TGTs that are already issued and distributed will be invalid because the DCs will reject them. These tickets are encrypted with the KRBTGT so any DC can validate them. When the password changes, the tickets become invalid.

Key Recommendation:

  • Every Active Directory domain have KRBTGT account to encrypt the Kerberos tickets. The KRBTGT account should be disabled state.
  • Microsoft recommends to Reset the KRBTGT Account Password every 180 days.
  • Resetting the password can reduce the lifetime of krbtgt token.
  • Validate privileged users accounts who’s having Domain Admin or Replicating Directory Changes permissions. This can able to provide the rights to discover objects in AD. This access is used for DCSync attack to get the KRBTGT hash and create Golden Tickets.
  • Validate the Kerberos ticket lifetime for all accounts. If any account beyond the defined lifetime then possible its compromised. Golden tickets able to set 10 years validity.

Impact Analysis
As a Domain Administrator you should aware impact of this Change which will helps to prevent any other issues.

  • KRBTGT remembers the last two passwords when using Kerberos.  Hence, changing it once is good,  but you need to change it twice for Best Security practice.
  • KRBTGT password reset twice can be possible but if you reset before the replication to all other Domain Controllers can lead into other issues, possible to lose the access.

KRBTGT Reset Process

Assessment 

  • Validate Domain DNS Name, PDC Emulator, Domain & Forest Functional Level [ should be Windows 2008 Domain or higher ]
  • Validate krbtgt information and Kerberos policy…
  • Validate all writable Domain Controllers are UP and reached RPC connection.
  • Validate the replication status to all Writable Domain Controllers


Implementation & Validation

  • Reset the krbtgt account password  [Use strong Password 18 to 26 character length]
  • Replicate the changes to all Writable Domain Controllers [wait for the Replication Interval / Trigger the Job manually ]
  • Validate all Writable Domain Controllers have latest timestamp [password last set] of krbtgt

Note:
All tickets based on the previous (N-1) krbtgt key should be expired before second reset.


Below command will helps to trigger the replication manually from the DC to all other DCs

Repadmin /Syncall /APeD

Below command will helps you to identify the Last Password set status of Target Domain Controllers.

Repadmin /ShowObjMeta dc-1 “CN=krbtgt,CN=Users,DC=CloudApex,DC=com” | findstr unicodePwd


Validate all Domain Controllers are match with PDC timestamp before proceeding 2nd reset.


Secure the Infrastructure irrespective to Gold or Silver Ticket and Be Ready to Defence by the Offence…!

 3,845 total views,  4 views today

One Response

  1. Rishikesh Ranjan says:

    Nice explanation

Leave a Reply

Your email address will not be published. Required fields are marked *