Golden ticket attack — what is it?

History of the golden ticket attack

Golden ticket attacks were born from a helpful place but have since been warped for more nefarious purposes. Their story begins with a French researcher, Benjamin Delpy, who wanted to demonstrate the vulnerabilities in Microsoft’s Active Directory. Delpy created mimikatz, a piece of software that helped penetration testers harvest massive amounts of user data. Mimikatz also contained forgery tools that let it bypass encryption measures.

How does a golden ticket attack work?

At its most basic definition, a golden ticket attack allows a hacker to forge and replicate Kerberos Ticket Granting Tickets, or TGTs, from a Kerberos key distribution center. TGTs are created by Kerberos to give temporary access to users who request certain, potentially sensitive, files. Kerberos is the name of the Windows Active Directory authentication protocol. The Kerberos protocol secures time-sensitive TGTs via hashing encryption, which is known as KRBTGT.

The first step of a golden ticket attack involves an actor compromising a machine on the target network — either through a phishing attack or someone physically tampering with the device. Once the cybercriminal has an open door into the network, the golden ticket attack can soon begin. However, four main components are needed for an effective golden ticket attack. For a tech-savvy criminal, the first three items are easy to obtain. The final piece, however, is trickier to get hold of.

1. Fully Qualified Domain Name, or FQDN. The FQDN is the full domain name for a computer, host, or server online and helps identify its virtual location.
2. Security Identifier, or SID. A SID identifies any security-related item that Windows can authenticate.
3. The identifying data of the user/account the hacker wants to break in through.
4. A KRBTGT password hash, in order to convince a network or system that the TGT provided is legitimate. The biggest flaw of the Kerberos system is that it automatically assumes any TGT that has been hashed via Kerberos encryption is the real deal, allowing hackers to gain access to anything on a network.

How do hackers trick the Kerberos system?

Obtaining the TGT password hash is typically the trickiest part of a Golden Ticket attack. A hacker might go about getting their hands on the hash in several ways. Due to the importance of the password hash, the hacker makes extra effort to steal it. Here are some of the methods a cybercriminal will use.

• Utilizing old software. The piece of software that spawned the golden ticket attack, mimikatz, is perfect for harvesting data, including sensitive credentials. While it’s a useful tool for penetration testing, it also finds use from hackers.
• Infiltrating a workstation. Never underestimate how far some criminals are willing to go to reach their goal, including acts of workplace espionage. Once a user obtains admin rights, through legitimate reasons or via office meddling, they can access the disk drive and search for credentials hidden behind admin privileges.
• Finding the NTDS.DIT file. It’s a database that stores all user password hashes for a specific domain. The database is a treasure trove of credentials for determined hackers, and a copy of the file can be found at each domain controller.

Once the cybercriminal finally has the password hash, it allows them access to whatever encrypted files they want – hence the term, “golden ticket,” which refers to the freedom a hacked TGT can provide.

How to protect yourself from golden ticket attacks

When it comes to protecting yourself from a golden ticket attack, it’s not so much a specific cybersecurity tool or software you need to use. It’s rather a set of behaviors and habits you need to commit to memory. While there’s no concrete method of stopping golden ticket attacks entirely, you can reduce the risk of being targeted in several ways.

• Use endpoint protection. By properly safeguarding an endpoint, you can prevent the use of data harvesting tools similar to mimikatz.
• Reduce the number of users that can access the KRBTGT password. Naturally, having a smaller circle of trust will make it easier to spot the weak link should you suffer from a golden ticket attack.
• Address abnormal IT behavior. It’s important to make others aware of abnormalities when it comes to TGTs. For example, most TGTs are only valid for a handful of hours. Should you come across a TGT that is valid for several days, that might be a sign to investigate.
• Update users with relevant cybersecurity knowledge. An important part of combating golden ticket attacks is knowing how to protect yourself from email phishing.

Pulling off a successful golden ticket attack requires hackers to have a lot of knowledge, and it can take several days or weeks to set up correctly. However, if you focus on maintaining proper cybersecurity routines, you can minimize the risk of falling prey.