Kerberos golden ticket allows attacker to establish persistent and covert authenticated access to Windows domain. The attack works as follows:
- Attacker gains administrator privileges in domain
- Attacker extracts ntlm hash of a domain user “krbtgt” and obtains SID of the target domain
- The attacker forges kerberos ticket
- This ticket is used to authenticate in domain with privileges of domain administrator
Here’s a detailed walkthough on how to use golden tickets on Kali Linux.
Let’s start with obtaining krbtgt ntlm hash. I use an encoded version of mimikatz utility that gets me krbtgt hash without alerting AV (https://github.com/artkond/bat-armor/blob/master/examples/krbtgt.bat):
Can you reverse this program?
Peeking into file:
So no easy flag today ;) Ok, no problem, fire up IDA + linux_server and let’s roll. sub_80484C0 is our main function:
Ok so we’re presented with a arcfour.exe binary.
Well, simple enough! Just unpack it with
upx -dand load into IDA :