It’s easy to get lulled into a false sense of safety when it comes to cybersecurity. You’ve got multiple security measures, you regularly change your passwords, and you keep software up to date. However, even with all these measures, some malware can still bypass it all. Here’s what you need to know about a golden ticket attack.
Golden ticket attacks were born from a helpful place but have since been warped for more nefarious purposes. Their story begins with a French researcher, Benjamin Delpy, who wanted to demonstrate the vulnerabilities in Microsoft’s Active Directory. Delpy created Mimikatz, a piece of software that helped penetration testers harvest massive amounts of user data. Mimikatz also contained forgery tools that let it bypass encryption measures.
At its most basic definition, a golden ticket attack allows a hacker to forge and replicate Kerberos Ticket Granting Tickets, or TGTs, from a Kerberos key distribution center. TGTs are created by Kerberos to give temporary access to users who request certain, potentially sensitive, files. Kerberos is the name of the Windows Active Directory authentication protocol. The Kerberos protocol secures time-sensitive TGTs via hashing encryption, which is known as KRBTGT.
The first step of a golden ticket attack involves an actor compromising a machine on the target network — either through a phishing attack or someone physically tampering with the device. Once the cybercriminal has an open door into the network, the golden ticket attack can soon begin. However, four main components are needed for an effective golden ticket attack. For a tech-savvy criminal, the first three items are easy to obtain. The final piece, however, is trickier to get hold of.
Obtaining the TGT password hash is typically the trickiest part of a Golden Ticket attack. A hacker might go about getting their hands on the hash in several ways. Due to the importance of the password hash, the hacker makes extra effort to steal it. Here are some of the methods a cybercriminal will use.
Once the cybercriminal finally has the password hash, it allows them access to whatever encrypted files they want – hence the term, “golden ticket,” which refers to the freedom a hacked TGT can provide.
When it comes to protecting yourself from a golden ticket attack, it’s not so much a specific cybersecurity tool or software you need to use. It’s rather a set of behaviors and habits you need to commit to memory. While there’s no concrete method of stopping golden ticket attacks entirely, you can reduce the risk of being targeted in several ways.
Pulling off a successful golden ticket attack requires hackers to have a lot of knowledge, and it can take several days or weeks to set up correctly. However, if you focus on maintaining proper cybersecurity routines, you can minimize the risk of falling prey.