In Search of Kerberos’s Golden Ticket

In a Kerberos environment, all users get tickets, or more specifically TGTs (Ticketing Granting Tickets). It’s the starting point for gaining access to services—network files, email, apps, etc.  In Windows,...
Michael Buckbee
2 min read
Last updated June 9, 2023

In a Kerberos environment, all users get tickets, or more specifically TGTs (Ticketing Granting Tickets). It’s the starting point for gaining access to services—network files, email, apps, etc.  In Windows, there’s one user who stands out, the all-powerful domain administrator. They have access to the keys of the kingdom, literally—the Domain Controller on which the Active Directory databases resides. Therefore the TGT for a domain admin is a valuable ticket.

And naturally very hard for outsiders to obtain.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

In security circles, the domain admin’s TGT takes on an unreal quality. It’s called the Golden Ticket, referring, of course, to those rare gold-foil tickets found in just a few chocolate bars in the Willie Wonka story. The Golden Ticket allows the owner a lifetime supply of Wonka chocolate (and a tour of the factory).

In theory, of course, one can see how an attacker could get the DA’s ticket. However, it does require, at first blink, a somewhat improbable chain of events. A hacker would have to login to the domain controller machine and gain elevated permissions and find the NTLM hash of krbtgt, a special user set up by Kerberos.  That last part, by the way, provides the special key used to encrypt all the TGTs.

If you have all these pieces to the Kerberos puzzle, then, sure, it would make sense you could start creating these things. And in fact, the hackers could create TGTs for any user, not just a Domain Admin.

The first question, of course, is how real a threat is this, or as they say in data security, “has it been seen in the wild”?

This CERT-EU warning from July of this year takes this attack  seriously. While it doesn’t mention any specific incidents, it provides useful information about how the attack works and mitigations. In short, hackers may use PtH or PtT harvesting to leapfrog to the domain controller. Once on the DC, there are hacker and pen test tools—essentially Mimikatz 2.0—to do the heavy lifting.

When the Golden Ticket is created, it’s effectively given a very long lifetime—say, measured in years!  So you have a nightmare situation—a stealthy intruder has entered your system, and has a Kerberos ticket that can be used at any time.

Suppose you suspect a Golden Ticket is present, and decide to change the password of the domain administrator’s account. Interestingly, this administrative action doesn’t invalidate the ticket! Kerberos views a ticket on its own merits. If it decrypts correctly and has Kerberos identifier information, then it’s good to go.

What about removing an account referenced in the Golden Ticket? Again, it doesn’t seem to matter. However, the Black Hat presentation I mentioned in my last post suggests that Microsoft may have changed this—there may now be a fix to check the user id (actually the Windows SID) found in the ticket against Active Directory. But on further checking with the Kerberos security community—thank you, Quora—I learned that’s not the case.

A better, but more extreme strategy, is to change the password for the krbtgt account, which is used to generate the key for encrypting the tickets. That would work of course but it also invalidates every other ticket in the system. It’s a drastic measure, but you have a drastic situation.

Mitigations? As I wrote about with pass-the-ticket and pass-the-hash, you’ll want to make it more difficult for attackers to get to the DC. The EU document I referred to earlier says that monitoring Windows logs won’t help admins spot anything out of the ordinary.

I’ll add another point to the Computer Emergency Response Team, EU Division’s mitigation strategy.

More comprehensive monitoring can help in this scenario if you have statistics on long-term behaviors of existing users.  Attackers will reveal themselves through unusual access patterns even thought their stolen credentials hide who they really are.

Image credit: Hippster

Learn More About User Monitoring with Varonis DatAdvantage.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

kerberos-attack:-silver-ticket-edition
Kerberos Attack: Silver Ticket Edition
With a name like Silver Ticket, you might think it’s not as scary as its cousin the Golden Ticket – you’d be horribly mistaken. A Silver Ticket is just as nasty...
kerberos-attack:-how-to-stop-golden-tickets?
Kerberos Attack: How to Stop Golden Tickets?
The Golden Ticket Attack, discovered by security researcher Benjamin Delpy, gives an attacker total and complete access to your entire domain. It’s a Golden Ticket (just like in Willy Wonka)...
what-is-mimikatz?-the-beginner's-guide
What is Mimikatz? The Beginner's Guide
Mimikatz is an open-source application that allows users to view and save authentication credentials like Kerberos tickets.
microsoft-fixes-a-kerberos-silver-ticket-vulnerability
Microsoft Fixes A Kerberos Silver Ticket Vulnerability
Note: This post has created a bit of controversy among the security illuminati! A post on Still Passing the Hash Blog 15 Years Later explains the issues. I think a...