6.1.6.7. Attack Types

6.1.6.7.1. Golden Notes Utilization

During the authentication process, a TGT will be obtained through the communication between the client and the AS. The Golden Ticket is a forged ticket-granting ticket (TGT), also known as an authentication ticket.

The use of golden tickets needs to communicate with the DC, and needs to obtain the hash of krbtgt, but can obtain any Kerbose service permissions.

6.1.6.7.2. Utilization of silver notes

Silver Tickets forgery uses the third step in Kerberos authentication. In the third step, the client will bring a ticket to a service of the server to request. If the verification is passed, it can access the specified server on the server Service, the ticket here is based on client info, server session key, end time, server hash. Here the client info is known, the end time can be constructed, and the server session key is generated by TGS, so as long as the server’s NTLM hash is sufficient. The counterfeit silver ticket is TGS, which can only access designated services.

6.1.6.7.3. DCSync Attack

DCSync is a technique that is often used in domain penetration. DCSync is a feature added by mimikatz in 2015, co-written by Benjamin DELPY gentilkiwi and Vincent LE TOUX, based on DRS to export the hash of all users in the domain.

This method requires one of the following permissions:

  • Users in the Administrators group

  • Users within the Domain Admins group

  • Users within the Enterprise Admins group

  • Domain controller computer account

6.1.6.7.4. DCShadow attack

DCShadow was proposed by security researchers Benjamin Delpy and Vincent Le Toux from France at the 2018 Microsoft Blue Hat conference.

A DCShadow attack involves creating a malicious domain controller in an Active Directory environment and using it to push malicious objects.

6.1.6.7.5. Pass-the-Hash (PTH)

Pass-the-Hash (PTH) is an attack method that authenticates by passing an NTLM hash. Commonly used tools include mimikatz.

6.1.6.7.6. Passing Ticket Attacks

Pass-the-Ticket Attacks (PtT) are a method of using Kerberos tickets instead of cleartext passwords or NTLM hashes. Probably the most common use of PtT is to use gold and silver notes, and accessing hosts via PtT is fairly straightforward.

6.1.6.7.7. Kerberoasting Attacks

Kerberoasting attacks were disclosed . It means that any host in the domain can query the SPN. Kerberoasting is to request TGS from all services in the domain, and then perform brute force cracking.

6.1.6.7.7.1. Roasting AS-REP

The attack enumerates accounts in the domain that do not require Kerberos pre-authentication, requests an encrypted message from those accounts, and tries offline to obtain the account hash. This method requires the account to be explicitly set up DONT_REQ_PREAUTH

6.1.6.7.8. Kerberos Delegation Attacks

In a domain, A uses Kerberos authentication to access service B, and B uses A’s identity to access C. This process can be understood as delegation. Delegation is mainly divided into two types: Unconstrained delegation and Constrained delegation. Unconstrained delegation can access any other service in the domain. Constrained delegation restricts authentication and cannot access other services.

Kerberos Delegation attacks are divided into unconstrained delegation attacks and constrained delegation attacks. The principle is to obtain the permissions of other accounts based on the delegated accounts that have been configured in the domain.

6.1.6.7.9. Other exploits

  • ProxyLogon (CVE-2021-26855)

  • ProxyShell (CVE-2021-34473)

  • SMBGhost (CVE-2020-0796)

  • Zerologon (CVE-2020-1472)

  • EternalBlue (MS17-010)