Compromising Kerberos - the golden ticket attack
Another set of more sophisticated attacks that are noticed more recently is the abuse of Microsoft Kerberos vulnerabilities in an active directory environment. Successful attack leads the attackers to compromise domain controllers and then escalate privilege to enterprise admin and schema admin using the Kerberos implementation.
The following are the typical steps involved in when a user logons with username and password in Kerberos based environment.
- User's password is converted into NTLM hash with a timestamp and then it is sent over to Kerberos Key Distribution Center (KDC).
- Domain controller checks the user information and creates a Ticket-Granting ticket (TGT).
- This TGT can be accessed only by Kerberos service (KRBTGT).
- The TGT is then passed on the Domain Controller from the user to request Ticket Granting Service (TGS) ticket.
- Domain controller validates the Privileged Account Certificate (PAC) if the it is allowed to open the ticket then...
