Compromising Kerberos – the golden-ticket attack
Another set of more sophisticated (and more recent) attacks is the abuse of Microsoft Kerberos vulnerabilities in an Active Directory environment. A successful attack leads to attackers compromising domain controllers and then escalating the privilege to the enterprise admin-and schema admin-level using the Kerberos implementation.
The following are typical steps when a user logs on with a username and password in a Kerberos-based environment:
- User's password is converted into an NTLM hash with a timestamp and then it is sent over to the Key Distribution Center (KDC).
- Domain controller checks the user information and creates a (Ticket-Granting Ticket (TGT).
- This TGT can be accessed only by Kerberos service (KRBTGT).
- The TGT is then passed on to the domain controller from the user to request a Ticket Granting Service (TGS) ticket.
- Domain controller validates the Privileged Account Certificate (PAC). If it is allowed to open the ticket, then the TGT...