Active Directory, A Guide To Golden Tickets

Authentication within Active Directory is usually handled by the Kerberos service, when a client requests access to a resource the domain controller will send back an encrypted TGT (Ticket Granting Ticket). The client then sends this TGT to the TGS (Ticket Granting Service) along with the SPN (Service Principal Name) it wants to access, all being well the KDC (Key Distribution Centre) will validate the ticket and will send a session key back to the client so they’re able to access the target resource.

Tickets allow clients to authenticate for as long as the ticket is valid. Traditionally, tickets will expire after 9 hours after which the client would need to authenticate all over again.

Domain administrators typically set up a password policy which will require domain users to change their password once every 30 days (give or take), this would mean that if an attacker had managed to gain credentials then after 30 days the password would be changed and restrict further network access, this is why a golden ticket is extremely sought after.

What Is A Golden Ticket

A golden ticket is just like a normal Kerberos ticket, the difference here is that this is a ticket that the attacker has created, this will typically be done as a high-privileged user. Unlike authentic tickets, the golden ticket will not expire after 9 hours, they’re usually created to last years which would enable persistent access to the domain regardless of credentials.

Defending against golden tickets

If a golden ticket has been created then it’s likely that the domain has been fully compromised. As any tickets are created using the krbtgt service hash the only way to invalidate the golden ticket would be to change the password for the krbtgt service, this would need to be done twice due to the way krbtgt remembers the last 2 passwords.

Anytime a user who would have had access to the krbtgt account password leaves the organisation it would be recommended to reset the password, this ensures that only persons within the organisation can access domain resources.

In addition to protecting against golden tickets which have already been created, domain admins can take a proactive approach towards security and perform regular scans for applications which can be used to create golden tickets, one such application would be Rubeus.

Spread the love