![]() ![]() Steal Access: After an attacker has access to the domain controller, they will then steal an NTLM hash of the Active Directory Key Distribution Service Account (KRBTGT). Attackers will then investigate and gather intel like the domain name. Often, phishing emails are used to first gain access to the system. Investigate: An attacker must already have access to the system. The steps below detail how an attacker gets this information, and how they are then able to carry out the attack. To carry out a Golden Ticket attack, the attacker needs the fully qualified domain name, the security identifier of the domain, the KRBTGT password hash and the username of the account they are going to access. ![]() How do attackers perform Golden Ticket attacks? If AS is verified then the user gets a Kerberos Ticket Grant Ticket, or TGT, which is proof of authentication. The authentication server, or AS, performs the initial authentication of the user. The Kerberos database contains the password of all verified users. The Distribution center has the ticket-granting server, or TGS, which will connect the user to the service server. ![]() With this system, the goal is to eliminate the need for multiple credential requests to the user, and instead verifies the user’s identity and assigns a ticket to the user for access. Typically, Kerberos authentication uses a key distribution center to protect and verify a user’s identity. Just like in the book and movie Charlie and the Chocolate Factory, where the name comes from, the attack is a Golden Ticket that allows unlimited access, but instead of a well-guarded candy factory, it’s to bypass a company’s cybersecurity and gain access to its resources, files, computers and domain controllers. The Golden Ticket attack was named such because it exploits a vulnerability in the Kerberos authentication protocol. It extracts credentials such as user names, passwords, hashes and Kerberos tickets. Golden Ticket attacks are intertwined with the open source tool Mimikatz, which is an open-source tool created in 2011 as a way to demonstrate the flaws in Microsoft Windows. Learn more What is the history of the Golden Ticket attack? The Golden Ticket attack technique maps to the MITRE ATT&CK® Credential Access technique under the sub-technique Steal or Forge Kerberos Tickets. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |