Didier Stevens

Friday 12 August 2016

mimikatz: Golden Ticket + DCSync

Filed under: Encryption — Didier Stevens @ 8:04

This blog post aims to provide a bit more information about what Benjamin Delpy wrote in this tweet:

20160805-092138

For this demo I run mimikatz as a least privilege, local user on a Windows workstation that is a member of my demo domain. The first step is to generate and use a golden ticket to obtain domain admin rights. The second step is to use dcsync to retrieve hashes from the domain controller.

As a freshly logged-on local user, I have no tickets:

20160805-090019

Then I create a golden ticket for the domain admin:

20160805-090730

20160805-090713

And I use it:

20160805-090827

Now my least privilege, local user is impersonating the domain administrator:

20160805-090904

Then I retrieve the hashes for user user01 from the domain control via the DRSR protocol:

20160805-091005

Compare the LM and NTLM hashes with the hashes in this blogpost: they are the same.

All the arguments (krbtgt, domain, domain admin username, domain SID) needed for the kerberos::golden command can be extracted from the ntds.dit file we obtained. More info on alternative methods to obtain the arguments can be found here.

@gentilkiwi told me that the domain admin username and RID can also be faked, as long that it is part of the domain admins group. It will work for about 20 minutes without checks.

If we don’t have the necessary rights (for example domain admin) to query a DC with DRSR, we get an error 5 (access denied):

20160805-090342

You also get this error when the krbtgt NTLM hash has changed. Command ptt will seem to succeed however:

20160805-121604

Remember that unless the password for user krbtgt is changed (which is not a standard practice), the krbtgt NTLM hash never changes. So even very old copies of ntds.dit can be used to recover hashes as described in this method.

The ticket is stored on file using asn1:

20160805-100151

Benjamin has a YARA rule (mimikatz_kirbi_ticket) to detect such tickets:

20160805-101142

Unfortunately, the mimikatz I use (version 2.1) uses another asn1 encoder and the rule no longer works.

Until Benjamin makes a more generic rule, you can use this updated rule:

rule mimikatz_kirbi_ticket
{
	meta:
		description		= "KiRBi ticket for mimikatz"
		author			= "Benjamin DELPY (gentilkiwi); Didier Stevens"

	strings:
		$asn1			= { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 }
		$asn1_84		= { 76 84 ?? ?? ?? ?? 30 84 ?? ?? ?? ?? a0 84 00 00 00 03 02 01 05 a1 84 00 00 00 03 02 01 16 }

	condition:
		$asn1 at 0 or $asn1_84 at 0
}

This ticket file is created on disk because I use kerberos::golden’s option /ticket:, but if I use option /ptt, the ticket is immediately passed, and not written to disk.

@gentilkiwi also told me that if you impersonate a domain controller account for kerberos::dcsync, then no events are logged.

3 Comments »

  1. […] also have a video for my mimikatz: Golden Ticket + DCSync blog […]

    Pingback by Video: mimikatz: Golden Ticket + DCSync | Didier Stevens — Monday 15 August 2016 @ 0:01

  2. […] mimikatz: Golden Ticket + DCSync […]

    Pingback by Overview of Content Published In August | Didier Stevens — Sunday 18 September 2016 @ 18:36

  3. […] Blogpost: mimikatz: Golden Ticket + DCSync […]

    Pingback by ntds.dit: Mimikatz Golden Ticket & DCSync | Didier Stevens Videos — Friday 7 October 2016 @ 12:24


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: