In the context of the CompTIA PenTest+ certification, a Golden Ticket attack is a severe post-exploitation technique used to achieve indefinite persistence within a Windows Active Directory (AD) environment. It exploits the Kerberos authentication protocol by forging a Ticket Granting Ticket (TGT),…In the context of the CompTIA PenTest+ certification, a Golden Ticket attack is a severe post-exploitation technique used to achieve indefinite persistence within a Windows Active Directory (AD) environment. It exploits the Kerberos authentication protocol by forging a Ticket Granting Ticket (TGT), effectively bypassing the standard authentication process.
At the heart of Kerberos is the Key Distribution Center (KDC), which uses a specific service account named KRBTGT to sign all valid TGTs. If a penetration tester or attacker gains administrative access to a Domain Controller and successfully dumps the password hash of the KRBTGT account (often using tools like Mimikatz), they possess the master key to the entire domain.
With the KRBTGT hash, the attacker can generate their own forged TGTs offline. These 'Golden Tickets' allow the attacker to masquerade as any user—even non-existent ones—and grant themselves membership in high-privilege groups such as Domain Admins or Enterprise Admins. This provides unrestricted access to every service, workstation, and file share in the domain.
What makes this attack particularly dangerous is its resilience. A Golden Ticket remains valid regardless of whether the impersonated user changes their password, as the ticket is validated against the KRBTGT hash, not the user's credentials. Furthermore, attackers can set the ticket's expiration date to 10 years or more. Unless defenders reset the KRBTGT password twice (to clear the password history), the attacker retains hidden, high-level access, allowing them to return to the network at will without triggering standard login alerts.
Comprehensive Guide to Golden Ticket Attacks for CompTIA PenTest+
What is a Golden Ticket Attack? A Golden Ticket attack is an advanced post-exploitation technique used to maintain persistent, administrative-level access to a Windows Active Directory (AD) domain. It abuses the Kerberos authentication protocol by forging a Ticket Granting Ticket (TGT). Because the TGT is used to request access to specific services, a forged TGT allows an attacker to generate access tickets for any resource in the domain, effectively giving them the keys to the kingdom.
Why is it Important? This attack is critical to understand for the PenTest+ exam because it represents the ultimate form of persistence. Once an attacker has a Golden Ticket, they can access any resource as a Domain Admin (or any other user) without needing to know a valid user's current password. It allows the attacker to remain undetected and retain control even if user passwords are changed.
How it Works: The Mechanics The attack centers on the KRBTGT account. This is a special hidden account in Active Directory used to encrypt and sign all TGTs. 1. Compromise: The attacker must first gain administrative access to a Domain Controller (DC) or execute a DCSync attack to dump the domain hashes. 2. Extraction: The attacker extracts the NTLM password hash of the KRBTGT account. 3. Forgery: Using a tool like Mimikatz, the attacker uses the KRBTGT hash to create a forged TGT. They can specify any user ID (usually a non-existent user or Administrator), any group membership (Domain Admins), and a valid lifetime (often set to 10 years). 4. Access: The attacker presents this forged TGT to the domain to request Service Tickets (TGS) for any service (like database servers, file shares, or other DCs), bypassing standard authentication checks.
Exam Tips: Answering Questions on Golden ticket attacks When facing questions about this topic on the CompTIA PenTest+ exam, look for specific keywords and indicators:
1. Identify the Indicator: If the scenario mentions the KRBTGT account or extracting the KRBTGT hash, the answer is almost always a Golden Ticket attack.
2. Distinguish from Silver Tickets: You must know the difference to answer correctly: - Golden Ticket: Forges a TGT (Ticket Granting Ticket). Requires the KRBTGT hash. Grants access to the entire domain. - Silver Ticket: Forges a TGS (Ticket Granting Service). Requires the hash of a specific service account (like SQL or HTTP). Grants access only to that specific service.
3. Recognize the Goal: If the question asks about persistence or maintaining access after a password reset campaign, the Golden Ticket is a primary candidate. Because the ticket is valid regardless of the user's actual password, changing user passwords does not stop the attack.
4. Remediation Knowledge: If asked how to remediate or stop a Golden Ticket attack, the correct answer is to reset the KRBTGT account password twice. Resetting it once invalidates the current TGTs, but because history is kept, a second reset is required to fully purge the ability to use old hashes.