In Search of Kerberos’s Golden Ticket

In a Kerberos environment, all users get tickets, or more specifically TGTs (Ticketing Granting Tickets). It’s the starting point for gaining access to services—network files, email, apps, etc.  In Windows, there’s one user who stands out, the all-powerful domain administrator. They have access to the keys of the kingdom, literally—the Domain Controller on which the Active Directory databases resides. Therefore the TGT for a domain admin is a valuable ticket.

And naturally very hard for outsiders to obtain.

In security circles, the domain admin’s TGT takes on an unreal quality. It’s called the Golden Ticket, referring, of course, to those rare gold-foil tickets found in just a few chocolate bars in the Willie Wonka story. The Golden Ticket allows the owner a lifetime supply of Wonka chocolate (and a tour of the factory).

In theory, of course, one can see how an attacker could get the DA’s ticket. However, it does require, at first blink, a somewhat improbable chain of events. A hacker would have to login to the domain controller machine and gain elevated permissions and find the NTLM hash of krbtgt, a special user set up by Kerberos.  That last part, by the way, provides the special key used to encrypt all the TGTs.

If you have all these pieces to the Kerberos puzzle, then, sure, it would make sense you could start creating these things. And in fact, the hackers could create TGTs for any user, not just a Domain Admin.

The first question, of course, is how real a threat is this, or as they say in data security, “has it been seen in the wild”?

This CERT-EU warning from July of this year takes this attack  seriously. While it doesn’t mention any specific incidents, it provides useful information about how the attack works and mitigations. In short, hackers may use PtH or PtT harvesting to leapfrog to the domain controller. Once on the DC, there are hacker and pen test tools—essentially Mimikatz 2.0—to do the heavy lifting.

When the Golden Ticket is created, it’s effectively given a very long lifetime—say, measured in years!  So you have a nightmare situation—a stealthy intruder has entered your system, and has a Kerberos ticket that can be used at any time.

Suppose you suspect a Golden Ticket is present, and decide to change the password of the domain administrator’s account. Interestingly, this administrative action doesn’t invalidate the ticket! Kerberos views a ticket on its own merits. If it decrypts correctly and has Kerberos identifier information, then it’s good to go.

What about removing an account referenced in the Golden Ticket? Again, it doesn’t seem to matter. However, the Black Hat presentation I mentioned in my last post suggests that Microsoft may have changed this—there may now be a fix to check the user id (actually the Windows SID) found in the ticket against Active Directory. But on further checking with the Kerberos security community—thank you, Quora—I learned that’s not the case.

A better, but more extreme strategy, is to change the password for the krbtgt account, which is used to generate the key for encrypting the tickets. That would work of course but it also invalidates every other ticket in the system. It’s a drastic measure, but you have a drastic situation.

Mitigations? As I wrote about with pass-the-ticket and pass-the-hash, you’ll want to make it more difficult for attackers to get to the DC. The EU document I referred to earlier says that monitoring Windows logs won’t help admins spot anything out of the ordinary.

I’ll add another point to the Computer Emergency Response Team, EU Division’s mitigation strategy.

More comprehensive monitoring can help in this scenario if you have statistics on long-term behaviors of existing users.  Attackers will reveal themselves through unusual access patterns even thought their stolen credentials hide who they really are.

Image credit: Hippster

Learn More About User Monitoring with Varonis DatAdvantage.