Attacking AD environments
Last updated
Last updated
Based on blogposts from Microsoft (), adsecurity and other blogs (, , , , , ).
Link:
In a Windows-environment, NTLM, NTLMv2, and Kerberos all use the NT-hash (usually called NTLM-hash).
There are actually several types of pass the hash attacks:
Pass the Hash: Performing NTLM authentication with stolen NT-hash (e.g. by dumping LSASS memory and exec mimikatz offline)
Over-pass the Hash: Use NT-hash to retrieve a Kerberos TGT
Pass the ticket: Stealing Kerberos tickets from host
.... Lorem Ipsum .....
Based on a .
When an adversary has infiltrated the network and become admin of the domain controllers, they essentially own the Windows environment. However, in increase the level of persistence, the adversary could issue Golden Tickets with virtually infinite lifetime to any account.
In a Windows environment, the authentication is based on Kerberos tickets which are issued by KDC running on domain controllers. The has a separate page in this docs but the important aspects are that Kerberos has two ticket types:
Ticket-granting Ticket (TGT): Acts a as a proof-of-authentication and is used to retrieve Service Tickets.
Service Tickets: Authenticates the user towards the service in question.
The KDC runs on domain controllers as the KRBTGT system account. The password hash of the KRBTGT account is the key for encrypting/signing the issued TGTs.
So, a Golden Ticket is a custom-forged TGT using the password hash of the KRBTGT account. Since the KDC trusts all TGTs which it has issued, regardless of set policies in the AD, the TGT can contain custom attributes, including Username, Domain and Group Membership.
Dump LSASS -> NTLM hash
Dump SAM file
: Mitigates kernel-based attacks (by multiple virtualized kernels) Default in Windows 11. This activates .