Golden Tickets: Full Access to the Domain

Aegiron 11 mins0

What is a Golden Ticket?

A Golden Ticket is a forged Kerberos Ticket Granting Ticket (TGT). This means an attacker can fake their way into a domain by creating their own TGT, allowing them to impersonate any user in the network (including the most powerful ones, like Domain Admins).

In simple terms, it’s like getting a master key to the entire building—once the attacker has a Golden Ticket, they can access anything in the network without anyone stopping them.

Why is a Golden Ticket Dangerous?

  1. Domain-Wide Access:
    • A Golden Ticket gives an attacker the ability to impersonate any user in the domain, including Domain Admins. This is essentially the highest level of control within the network.
  2. Full Control:
    • Once the attacker has a Golden Ticket, they can access all systems, steal data, change passwords, and perform any action that a legitimate user, especially an admin, could do.
  3. Persistence:
    • A Golden Ticket doesn’t expire quickly. The attacker can use it for a long time (sometimes years), allowing them to maintain access to the network indefinitely—until someone changes a critical password, like the KRBTGT account password.
  4. Hard to Detect:
    • The Golden Ticket appears to be a valid TGT, so the system doesn’t know it’s forged. This makes it difficult to detect, especially if the attacker is careful and doesn’t raise suspicion.

How Does a Golden Ticket Work?

Here’s a breakdown of the Golden Ticket process:

Step 1: Steal the KRBTGT Account Password

  • The first thing an attacker needs is the password of the KRBTGT account. The KRBTGT account is a special account used by the Key Distribution Center (KDC) to encrypt all TGTs in the domain.
  • Real-World Example: The attacker compromises a Domain Admin account or uses other methods to dump the password hash of the KRBTGT account (often using tools like Mimikatz).

Step 2: Create a Golden Ticket

  • Once the attacker has the KRBTGT account password, they can forge a TGT (Golden Ticket). This ticket looks just like the real TGT that the KDC would issue, but it’s fake and created by the attacker themselves.
  • The attacker can choose who they want to impersonate—they could impersonate a Domain Admin or any other user.

Step 3: Use the Golden Ticket to Access the Domain

  • The attacker now has a Golden Ticket, which allows them to log in to any computer or service in the domain, just like a legitimate user. Since the ticket is accepted by the system, the attacker can freely move around the network without anyone knowing.

Step 4: Gain Full Control

  • With the Golden Ticket, the attacker can perform any action they want, like creating new user accounts, changing permissions, stealing sensitive data, or even disabling security measures.

Real-World Example of a Golden Ticket Attack:

Imagine you’re an attacker trying to break into a company’s network and steal its data. Here’s how a Golden Ticket attack might unfold:

  1. Step 1 – Compromise a Domain Admin Account:
    • You first compromise a Domain Admin’s password through phishing, social engineering, or another method.
  2. Step 2 – Dump the KRBTGT Password Hash:
    • Using tools like Mimikatz, you dump the KRBTGT account password hash from the compromised Domain Admin machine.
  3. Step 3 – Create a Golden Ticket:
    • With the KRBTGT password hash, you use a tool like Mimikatz to forge a Golden Ticket. You decide to impersonate a Domain Admin so you can access the whole network.
  4. Step 4 – Access the Domain:
    • You use the forged Golden Ticket to log into any computer or server in the domain as a Domain Admin—without needing the original credentials.
  5. Step 5 – Full Control:
    • Now, as a Domain Admin, you can create new accounts, steal sensitive company data, install malicious software, or even remove security measures like antivirus programs. You have full control of the entire network.

Why is a Golden Ticket Dangerous?

  1. Complete Control Over the Network:
    • Since a Golden Ticket allows you to impersonate any user, including high-privilege users like Domain Admins, the attacker essentially has complete control over the network. They can make any changes they want to the system.
  2. Stealthy and Persistent Access:
    • The attacker can use the Golden Ticket as long as they want, often without being noticed. This persistence makes it harder to detect or stop because the ticket can remain valid for years, allowing the attacker to keep accessing the network.
  3. Bypassing Security:
    • The Golden Ticket allows the attacker to bypass normal security checks, essentially allowing them to act like a legitimate, trusted user.

Diagram of Golden Ticket Attack:

Here’s a diagram showing how a Golden Ticket works:

Steps in the Diagram:

  1. Compromise Domain Admin Account: The attacker gets hold of a Domain Admin account, which gives them the ability to access KRBTGT account information.
  2. Dump KRBTGT Password Hash: The attacker uses tools like Mimikatz to extract the KRBTGT password hash, which is needed to create the Golden Ticket.
  3. Create Golden Ticket: Using the KRBTGT password hash, the attacker forges a Golden Ticket that looks valid to the system.
  4. Use Golden Ticket: The attacker uses the Golden Ticket to log into any resource in the domain as a Domain Admin, even though they didn’t have the original credentials.
  5. Gain Full Control: Once inside, the attacker has complete control over the domain and can perform any action they want, like creating new accounts or stealing data.

How to Defend Against Golden Ticket Attacks:

  1. Change the KRBTGT Password Regularly:
    • One of the most effective defenses is to change the KRBTGT password regularly. Since Golden Tickets rely on the KRBTGT password hash, changing it periodically disrupts the attacker’s ability to use a forged Golden Ticket.
  2. Monitor for Unusual TGT Activity:
    • Keep an eye out for suspicious activity related to TGTs. For example, multiple logins with different TGTs from different machines might signal a Golden Ticket attack.
  3. Use Multi-Factor Authentication (MFA):
    • Implement multi-factor authentication (MFA) wherever possible. MFA can prevent attackers from using just a password to access services.
  4. Limit Privileges:
    • Limit the number of Domain Admins in your network. The fewer high-privilege accounts, the less likely an attacker can gain access to critical systems.
  5. Enable Security Monitoring:
    • Set up advanced security monitoring tools to detect unusual patterns of access, especially to sensitive resources.

Summary of Golden Tickets:

  • A Golden Ticket is a forged Kerberos Ticket Granting Ticket (TGT) that allows an attacker to impersonate any user, including Domain Admins, and gain full control of a network.
  • Golden Tickets give attackers persistent, undetected access to the domain until the KRBTGT password is changed.
  • Golden Ticket attacks are extremely dangerous because they give the attacker complete control over the entire network.

To protect against Golden Ticket attacks, make sure to secure the KRBTGT account, rotate passwords regularly, and use strong monitoring systems to spot unusual behavior.

 

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.