🧵 (1/) Forged Tickets Thread
Golden 🔑 tickets are no longer in fashion, so here’s a short memo on using Diamond 💎 (@exploitph) and Sapphire (@_nwodtuhs) tickets with ticketer[.]py from #Impacket. At first let’s recap what we already know about Golden tickets ⤵️
#ad #kerberos
Golden 🔑 tickets are no longer in fashion, so here’s a short memo on using Diamond 💎 (@exploitph) and Sapphire (@_nwodtuhs) tickets with ticketer[.]py from #Impacket. At first let’s recap what we already know about Golden tickets ⤵️
#ad #kerberos
🧵 (2/) Golden tickets are forged privileged TGTs that’re crafted completely offline. Having got krbtgt RC4 (NT hash) or AES key, a TA can specify some params (e.g., group membership, user’s RID, ticket validity period) to create and sign a fake PAC embedded inside the TGT ⤵️
🧵 (3/) Thus, the TA can provide the forged TGT to request an ST to any resource in the domain which will contain a copy of the fake PAC signed by the target service account. Since recently, we cannot use a non-existent account name as a result of CVE-2021-42287 mitigations ⤵️
🧵 (4/) Despite Golden tickets is a very strong dominance technique, it’s quite noisy as well. This is where Diamond tickets come in handy! A TA can request a legit low-priv TGT and recalculate only the PAC field providing the krbtgt encryption key ⤵️
🧵 (5/) But this is not the limit as well! The recent Sapphire ticket technique by @_nwodtuhs allows us to mimic the PAC field as close as possible to a legitimate one eliminating the need of recalculating it from scratch ⤵️
🧵 (6/) It is achieved by requesting the target user’s PAC with S4U2self+U2U exchange during TGS-REQ(P) (PKINIT). Due to using a ready-made PAC, all the previously modifiable options don’t take affect now ⤵️
جاري تحميل الاقتراحات...