Comment on page
Attacking AD environments
In a Windows-environment, NTLM, NTLMv2, and Kerberos all use the NT-hash (usually called NTLM-hash).
There are actually several types of pass the hash attacks:
- Pass the Hash: Performing NTLM authentication with stolen NT-hash (e.g. by dumping LSASS memory and exec mimikatz offline)
- Over-pass the Hash: Use NT-hash to retrieve a Kerberos TGT
- Pass the ticket: Stealing Kerberos tickets from host
.... Lorem Ipsum .....
When an adversary has infiltrated the network and become admin of the domain controllers, they essentially own the Windows environment. However, in increase the level of persistence, the adversary could issue Golden Tickets with virtually infinite lifetime to any account.
In a Windows environment, the authentication is based on Kerberos tickets which are issued by KDC running on domain controllers. The Kerberos Authentication Protocol has a separate page in this docs but the important aspects are that Kerberos has two ticket types:
- Ticket-granting Ticket (TGT): Acts a as a proof-of-authentication and is used to retrieve Service Tickets.
- Service Tickets: Authenticates the user towards the service in question.
The KDC runs on domain controllers as the KRBTGT system account. The password hash of the KRBTGT account is the key for encrypting/signing the issued TGTs.
So, a Golden Ticket is a custom-forged TGT using the password hash of the KRBTGT account. Since the KDC trusts all TGTs which it has issued, regardless of set policies in the AD, the TGT can contain custom attributes, including Username, Domain and Group Membership.
In order to mitigate this, the KRBTGT password must be changed twice. This will invalidate all existing TGTs in the domain, any Golden Tickets included.
Windows Virtualization-based Security (VBS): Mitigates kernel-based attacks (by multiple virtualized kernels) Default in Windows 11. This activates Credential Guard.
- Dump LSASS -> NTLM hash
- Dump SAM file