Golden Ticket Attack Explaining (
From The Blue Team Perspective)

How Kerberos work ?

Kerberos acts like a trusted third party working with a domain controller (DC) to authenticate clients trying to access services. The Kerberos authentication workflow revolves around tickets (tickets) that act as cryptographic proof of identity that can be exchanged between clients, services, and DC.

How Kerberos Work ?
  • Tickets: tokens that serve as proof of identity.
  • The ticket-granting ticket (TGT) is generated by the KDC.
  • TGT is proof that the customer has submitted valid user information to KDC.
  • TGS ticket is generated by KDC. A TGS ticket is created for each service that the client (having a valid TGT) wants to access.
  • Privilege attribute certificate (PAC) contains information about client privileges and allows the service to verify whether the client is authorized to access the service. PAC, both TGT and
    are also placed on TGS tickets.
  • KDC key: An encryption key that proves the TGT is valid. The KDC key is generated from the hashed password of the KRBTGT account, which is the first account created in an Active Directory domain (for example, krbtgt/orhan.com@orhan[.]com ).
  • Kerberos is built on symmetric key encryption (shared secrets). Hashed passwords act as encryption keys. Encryption protects passwords, prevents ticket tampering, and acts as an additional authentication mechanism.
Golden Ticket Usage Step

How to Detect Golden Ticket Attacks?

Monitor for any unusual activity associated with Active Directory and Keberos. You can audit Kerberos AS and TGS events for inconsistencies. Windows logon and logout events with blank fields (Event ID 4624, 4672, and 4634) can be indicators of a ticket or ticket pass activity associated with golden tickets. Other indications of a gold ticket attack may include TGS ticket requests with no previous TGT requests or TGT tickets with arbitrary lifetime values.

How To Prevent Golden Ticket Attack ?

  • Routinely update the KRBTGT password twice. Changing the password twice will invalidate any ticket signed with a stolen KDC key.
  • DC stores two versions (current and previous version) of the KRBTGT password; this allows the KDC to check if an invalid TGT has a KDC key that matches a previous KRBTGT passphrase. (Windows Event ID 4769 will notify you if a golden ticket is sent to a DC after the KRBTGT password has been reset twice.)
  • Ensure DCs are well protected by limiting the number of accounts with domain administrator privileges.
  • Limit the number of servers a domain administrator logs on to and assign administrative privileges to special administrator groups. Follow these recommendations to reduce the attack surface for compromising a domain administrator account and accessing a DC.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Orhan Öztaş

Orhan Öztaş

Blue Team Member. I am writing articles for helping you about cyber security.