Mitigating pass the ticket on Active Directory
Kerberos authentication protocol is the preferred authentication mechanism used by Windows in a domain
based environment, and interoperates with Kerberos implementations supported by other operating systems.
While the pass-the-hash technique (PtH) is still used by Advanced Persistent Threats (APT), the equivalent
technique misusing the Kerberos protocol, known as pass-the-ticket (PtT), is increasing.
The Kerberos protocol, invented by MIT and used by multiple operating systems, relies on a secret key in order to protect the authentication. If the server that stores the secret key is hacked, it may be possible for a
malicious actor to generate credentials to appear to be other users.
A recent release of Mimikatz provides a proof of concept of this pass-the-ticket attack called the golden ticket. Before the golden ticket is possible, the malicious actor must first hack the system with the secret key (Active Directory, the domain controller), then hack to become a full system administrator on the same domain controller. The adversary uses this access to steal the secret key, effectively a golden-ticket that enables the adversary to impersonate anybody in a Windows-domain based environment until the Kerberos secret key is reset.
This white-paper provides the required steps to prevent and block attacks based on the golden-ticket.
The tests mentioned in this document were done in a Windows 7 and Windows Server 2008R2 environment.
more here..................http://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_07_PassTheGolden_Ticket_v1_1.pdf
Kerberos authentication protocol is the preferred authentication mechanism used by Windows in a domain
based environment, and interoperates with Kerberos implementations supported by other operating systems.
While the pass-the-hash technique (PtH) is still used by Advanced Persistent Threats (APT), the equivalent
technique misusing the Kerberos protocol, known as pass-the-ticket (PtT), is increasing.
The Kerberos protocol, invented by MIT and used by multiple operating systems, relies on a secret key in order to protect the authentication. If the server that stores the secret key is hacked, it may be possible for a
malicious actor to generate credentials to appear to be other users.
A recent release of Mimikatz provides a proof of concept of this pass-the-ticket attack called the golden ticket. Before the golden ticket is possible, the malicious actor must first hack the system with the secret key (Active Directory, the domain controller), then hack to become a full system administrator on the same domain controller. The adversary uses this access to steal the secret key, effectively a golden-ticket that enables the adversary to impersonate anybody in a Windows-domain based environment until the Kerberos secret key is reset.
This white-paper provides the required steps to prevent and block attacks based on the golden-ticket.
The tests mentioned in this document were done in a Windows 7 and Windows Server 2008R2 environment.
more here..................http://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_07_PassTheGolden_Ticket_v1_1.pdf