scieee Science in your language
[en] (orig)

Active Directory vulnerabilities, exploitations and detection.

Author: Sakellariou, Apostolos
Publisher: Zenodo
DOI: 10.5281/zenodo.17543173
Source: https://zenodo.org/records/17543173/files/Sakellariou_Apostolos_BSc_Thesis_Active_Directory_Vulnerabilities_2024.pdf
Uni e si y o De by
Depa men o Compu e Science
BSc (Hons) Compu e ne wo ks & secu i y
Ac i e Di ec o y ulne abili ies, exploi a ions and
de ec ion.
By
Sakella iou G. Apos olos
2024
Abs ac
This hesis analyzes he secu i y weaknesses in Ac i e Di ec o y, wi h a speci ic
emphasis on ad anced a ack echniques ha exploi he Ke be os au hen ica-
ion p o ocol. This esea ch p o ides a comp ehensi e examina ion o se e al
impo an cybe a acks, including Ke be oas ing, O e pass- he-Hash, Sil e
Ticke , and Golden Ticke . The s udy ocuses on explaining how each a ack is
done and he consequences o hese a acks. Conduc ed in a con olled i ual
lab, he expe imen s e eal how weak passwo d policies, inadequa e moni o ing,
and ou da ed enc yp ion me hods acili a e unau ho ized access and p i ilege
escala ion. The esul s emphasize he necessi y o implemen ing s ong secu i y
mechanisms, ho ough moni o ing, and ongoing aining o p o ec he ac i e
di ec o y en i omen . Sugges ed measu es o inc ease o ganiza ional secu i y
agains new h ea s include he implemen a ion o obus passwo d policies,
egula upda es o use accoun s, he u iliza ion o ad anced de ec ion ools,
and he implemen a ion o ac i e secu i y app oaches.
Keywo ds: Ac i e Di ec o y, Ke be os au hen ica ion p o ocol, Ke be oas ing,
Golden Ticke a ack, O e pass- he-Hash a ack, Sil e Ticke a ack, A ack
De ec ion
2
Acknowledgemen s
I wan o s a by saying how g a e ul I am o M . An onis Kapellas, my
supe ising p o esso , o all he help and ad ice he ga e me du ing my s udy.
His hough s and sugges ions we e e y help ul in making su e ha my wo k
was ele an o eal li e, and he impo an ma e ials he ga e me helped make
comple ing his hesis much easie .
I also wan o hank P o esso Michael Dagiakidis o his assis ance in se ing
up my i ual lab, which was c ucial o he success ul execu ion o my esea ch
expe imen s.
Finally, I wan o hank my a he om he bo om o my hea o always being
he e o me and suppo ing me. His us in me has been a cons an sou ce o
s eng h and inspi a ion o me on his jou ney.
Thank you all o you suppo !
3
Table o Con en s
1 In oduc ion 6
1.1 P ojec Ra ionale........................... 6
1.2 P ojec Aim and Objec i es . . . . . . . . . . . . . . . . . . . . . 6
2 Li e a u e Re iew 8
2.1 In oduc ion.............................. 8
2.2 Ac i e Di ec o y Vulne abili ies . . . . . . . . . . . . . . . . . . . 8
2.3 Ke be os Au hen ica ion . . . . . . . . . . . . . . . . . . . . . . . 8
2.4 Vulne abili ies exploi a ion . . . . . . . . . . . . . . . . . . . . . 9
2.4.1 Ke be oas ing A ack . . . . . . . . . . . . . . . . . . . . 9
2.4.2 O e pass he hash A ack . . . . . . . . . . . . . . . . . . 13
2.4.3 Sil e icke A ack . . . . . . . . . . . . . . . . . . . . . . 23
2.4.4 Golden icke A ack . . . . . . . . . . . . . . . . . . . . . 27
2.5 A ackDe ec ion........................... 32
2.5.1 Ke be oas ing De ec ion . . . . . . . . . . . . . . . . . . . 32
2.5.2 O e pass he hash De ec ion . . . . . . . . . . . . . . . . 34
2.5.3 Sil e icke De ec ion . . . . . . . . . . . . . . . . . . . . 35
2.5.4 Golden icke De ec ion . . . . . . . . . . . . . . . . . . . 37
2.6 Conclusions.............................. 38
2.6.1 KeyIssues........................... 38
2.6.2 Re ined Resea ch Ques ions . . . . . . . . . . . . . . . . . 40
3 Resea ch Me hodology 41
3.1 In oduc ion.............................. 41
3.2 Resea chS a egy .......................... 41
3.3 Da aAnalysis............................. 42
3.4 E hics ................................. 42
4 Findings and Analysis 43
4.1 In oduc ion.............................. 43
4.2 Analysis................................ 43
4.3 Conclusions.............................. 44
4
5 Conclusion and Recommenda ion 45
5.1 Conclusion .............................. 45
5.2 Recommenda ion........................... 45
6 Bibliog aphy 47
7 Appendices 49
7.1 Desc ip ion o Lab En i onmen . . . . . . . . . . . . . . . . . . 51
7.2 Ne wo kTopology .......................... 51
7.3 ToolsandSc ip s........................... 52
7.4 Glossa yo Te ms .......................... 52
5

Chap e 1
In oduc ion
1.1 P ojec Ra ionale
In he mode n digi al age, ensu ing he secu i y o compu e ne wo ks is o
he highes p io i y, pa icula ly due o he ising equency o cybe -a acks
aimed a i al in as uc u es o businesses. Ac i e Di ec o y (AD) is a c ucial
componen o many businesses’ in as uc u e (Chai & Gillis, 2021), o e ing
i al au hen ica ion and au ho iza ion unc ions. Ne e heless, he ex ensi e
u iliza ion o i also ende s i mo e suscep ible o malicious indi iduals. Gaining
a comp ehensi e unde s anding o he weaknesses p esen in Ac i e Di ec o y
and he echniques used o exploi hese weaknesses is essen ial o c ea ing
s ong secu i y p o ocols. This hesis aims o iden i y and analyze p e alen
ulne abili ies in Ac i e Di ec o y, in es iga e se e al me hods o exploi ing
hese ulne abili ies, and assess he e icacy o a ious de ec ion mechanisms.
By pu suing his objec i e, he pu pose is o enhance he exis ing knowledge
on ne wo k secu i y and o e p ac ical guidance o secu i y expe s in o de o
p o ec hei sys ems om hese ad anced h ea s.
1.2 P ojec Aim and Objec i es
The main objec i e o his hesis is o ca y ou a comp ehensi e s udy o he
ulne abili ies p esen in Ac i e Di ec o y, he me hods employed by a ack-
e s o exploi hese ulne abili ies, and he ela ed me hods o de ec ing such
a acks. In o de o accomplish his goal, he ollowing objec i es ha e been se :
•Enume a e and classi y he mos common ulne abili ies in Ac i e Di ec-
o y.
•Pe o m hands-on demons a ions o p e alen exploi a ion echniques,
such as Ke be oas ing, O e pass- he-Hash, Sil e Ticke , and Golden
Ticke a acks.
6
•Examine he de ec ion echniques o each o hese a acks, e alua ing
hei e icacy and limi a ions.
•Based on he indings o his esea ch, I ep esen implemen ing measu es
o enhance he secu i y and de ec ion mechanisms o Ac i e Di ec o y,
wi h a speci ic emphasis on ollowing adminis a i e bes p ac ices.
7
Chap e 2
Li e a u e Re iew
2.1 In oduc ion
The p ima y goal o his li e a u e s udy is o o e a ho ough and ex ensi e
summa y o he cu en esea ch and s udies conce ning Ac i e Di ec o y ul-
ne abili ies, me hods o exploi a ion, and app oaches o de ec ion. This pape
will p o ide an o e iew o he undamen al p inciples o Ac i e Di ec o y, ex-
plo e pa icula weaknesses ha a acke s equen ly a ge , and analyze he
me hods employed o iden i y and coun e ac hese exploi s. Fu he mo e, i
will discuss he signi icance o Ke be os in Ac i e Di ec o y and i s dual posi ion
as bo h a a ge and a ool in ce ain secu i y scena ios.
2.2 Ac i e Di ec o y Vulne abili ies
Ac i e Di ec o y (AD) is an essen ial elemen in nume ous co po a e se ings,
asked wi h he esponsibili y o e i ying use iden i ies, g an ing access pe mis-
sions, and en o cing ules and egula ions wi hin Windows domains (Mic oso
Co po a ion, 2022). Ac i e Di ec o y, despi e i s signi icance, is exposed o
mul iple ulne abili ies, especially in cases o miscon igu a ions a he admin-
is a i e le el. The ulne abili ies can be classi ied in o se e al o ms, such as
poo au hen ica ion sys ems, inapp op ia e delega ion se ings, and inadequa e
moni o ing p ac ices.
2.3 Ke be os Au hen ica ion
Ke be os is he de aul p o ocol u ilized in an Ac i e Di ec o y (AD) domain.
Use s can access ne wo k se ices by u ilizing icke s ins ead o passwo ds. These
icke s a e gene a ed o each session and ha e a limi ed ime pe iod o use.
Use s can ob ain emo e se ices by eques ing a se ice icke om a domain
con olle (DC), which ac s as he key dis ibu ion cen e (KDC) in he Ac i e
8
Di ec o y (AD) implemen a ion o Ke be os (The Mi e Co po a ion, 2020).
When clien s eques se ice icke s o gi en se ices om a DC, hey use
unique iden i ie s called se ice p incipal names (SPNs). To enable Ke be os
au hen ica ion, i is equi ed ha SPNs a e egis e ed in AD wi h a leas one
se ice logon accoun .
2.4 Vulne abili ies exploi a ion
2.4.1 Ke be oas ing A ack
The Ke be oas ing a ack, ini ially in oduced by Tim Medin , is a me hod
o ob aining he c eden ials o a emo e se ice wi hou he need o send any
a ic di ec ly o he se ice (Medin, 2014). Ke be oas ing is ca ego ized as a
sub-me hod o he S eal o Fo ge Ke be os Ticke s echnique, which is classi ied
unde he C eden ial Access echniques (Mi e Co po a ion, 2020). The a ack
dis inguishes i sel om he o he wo sub echniques (Golden and Sil e Ticke )
based on he speci ic le el o pe missions ha a e need. Ke be oas ing can be
execu ed wi hou he need o a local adminis a o accoun o an accoun ha -
ing highe pe missions in he domain (Deme s & Lee, 2022). A alid domain
accoun o he abili y o sni a ic wi hin a domain is enough o an a acke
o ca y on Ke be oas ing.
The exploi a ion o Ke be oas ing was conduc ed in a con olled i ual lab
en i onmen consis ing o a domain con olle , a Windows 10 PC clien , and
an a acke machine unning Kali Linux. While he e a e mul iple me hods
o execu e his a ack, he Ha oc C2 (Command and Con ol) amewo k was
u ilized on he Kali Linux machine o his expe imen . The Windows PC was
p e iously comp omised using a payload deployed om he a acke machine,
es ablishing an ac i e session be ween he wo compu e s.
Figu e 1: Ha oc amewo k: Heal hy connec ion wi h windows clien compu e .
As shown in Figu e 1, a connec ion has al eady been es ablished wi h he
clien compu e a IP add ess 192.168.50.30, and we a e p epa ed o ini ia e he
Ke be oas ing a ack.
A e ob aining he passwo d o he ”pc use ” accoun , which belongs o he
9
Figu e 10: Pu ging he pc use ’s icke s.
$k l i s pu ge
16

Figu e 11: pc use ’s wi hou ke be os icke s.
$klis
We a e now eady o c ea e he Ke be os icke o he ”ceo” use . In he im-
age (Figu e 12), he Powe Shell command execu ed uses Rubeus, a ool designed
o Ke be os icke ope a ions. The command below is employed o eques a
Ticke G an ing Ticke (TGT) o he ”ceo” use in he lab.com domain. The
”/ c4” pa ame e speci ies he NTLM hash o he ”ceo” use ’s passwo d, and
he ”/p ” lag indica es ha he icke should be injec ed di ec ly in o he
cu en session upon c ea ion. This p ocess allows us o impe sona e he ”ceo”
use by ob aining a alid TGT, which can hen be used o access esou ces and
se ices ha he ”ceo” use has pe missions o wi hin he domain.
17
Figu e 12: C ea ing a TGT o ”ceo” use .
$. Rubeus . exe ask g /domain : lab . com / use : ceo
/ c4 :8846F7EAEE8FB117AD06BDD830B7586C / p
The ou pu (Figu e 13) shows ha he TGT eques was success ul. The
TGT is buil using he p o ided NTLM hash, and he eques is sen o he
Domain Con olle . The Base64-encoded icke is displayed, ollowed by con-
i ma ion ha he icke has been success ully impo ed o ou cu en session
(Figu e 14). The inal sec ion o he ou pu con i ms he de ails o he im-
po ed icke , including he se ice name (k b g /lab.com), he se ice ealm
(LAB.COM), and he use ealm (LAB.COM), all associa ed wi h he ”ceo”
use . This icke allows us o impe sona e he ”ceo” use and access esou ces
wi hin he lab.com domain.
18
Figu e 13: TGT o ”ceo” use .
19
Figu e 14: Cu en session wi h ceo’s TGT.
$klis
The ou pu o Figu e 15 e eals ha he ”ceo” use is a membe o ”Domain
Admins” g oups, indica ing ha his accoun has signi ican p i ileges wi hin
he domain. Ha ing e i ied he ele a ed p i ileges o he ”ceo” use , we p oceed
o access he con iden ial olde on he domain con olle (Figu e 16). This
success ul access con i ms he e ec i eness o he a ack, demons a ing he
abili y o exploi he Ke be os icke o gain unau ho ized access o c i ical
esou ces wi hin he domain.
20
Figu e 15: The ”ceo” use is in Domain Admins g oup.
$ne use /domain ceo
21

Figu e 16: We ha e access o con iden ial- olde on he domain con olle .
$l s Dc con iden ial− olde
These cached icke s con i m ha he ”ceo” use has accessed mul iple se -
ices, including he domain’s CIFS se ice, which is used o accessing sha ed
olde s and iles on he ne wo k. The p esence o hese icke s e i ies ha he
”ceo” use has domain admin p i ileges and can access sensi i e esou ces.
(Figu e 17)
22
Figu e 17: Cashed icke s o ”ceo” use TGT and TGS icke s.
$klis
2.4.3 Sil e icke A ack
The Sil e Ticke a ack is a me hod o o ging Ke be os se ice icke s o gain
access o speci ic se ices wi hin an Ac i e Di ec o y (AD) en i onmen . Unlike
he Golden Ticke a ack, which a ge s he Ticke G an ing Ticke (TGT) o
un es ic ed access ac oss he domain, he Sil e Ticke a ack ocuses on com-
p omising he Ticke G an ing Se ice (TGS) o a pa icula se ice, allowing
he a acke o access ha se ice wi hou he need o cons an in e ac ion wi h
he Key Dis ibu ion Cen e (KDC) (P´e ez, 2019). This a ack akes ad an age
o se ice accoun s, which o en ha e less s ingen secu i y measu es compa ed
o o he accoun s.
In a Sil e Ticke a ack, he a acke i s needs he NTLM hash o he se ice
accoun passwo d in ou case ”A9FDFA038C4B75EBC76DC855DD74F0DA”
23
(NTLM hash o passwo d123 Figu e 6) o he sql use accoun ha we ound
wi h Ke be oas ing. Once he NTLM hash is ob ained, he a acke can o ge a
TGS o he a ge ed se ice, e ec i ely impe sona ing he se ice accoun and
gaining access o he associa ed se ice esou ces. In his case scena io we ha e
he clea passwo d so we ha e o con e i o he NTML hash (Figu e 18).
Figu e 18: Gene a ing he NTLM hash
$. Rubeus . exe hash /passwo d : passwo d123
The a acke gene a es a TGS o he a ge ed se ice using he gene a ed
NTLM hash. This in ol es c a ing he icke wi h he necessa y in o ma ion,
including he SPN (Figu e 19),NTML hash (Figu e 18), SID (Figu e 26), use
and domain.
24
Figu e 19: Sea ching o SPNs.
$. Ge Use SPNs . ps1
The inal s ep in ol es he c ea ion o he Sil e Ticke using Rubeus (Fig-
u e 20), showing he de ailed pa ame e s used o o ge he icke . The Rubeus
command ”Rubeus.exe sil e ” is used o c ea e a Sil e Ticke . In he p o ided
igu e, we speci y a ious pa ame e s including he se ice accoun name ”/se -
ice:sql use /lab.com”, he RC4 hash , he SID, he use name , and he domain
name.
Figu e 20: Rubeus c ea ing he sil e icke .
$. Rubeus . exe s i l e / s e i c e : s q l u s e / lab . com
/ c4 :A9FDFA038C4B75EBC76DC855DD74F0DA
/ s id : S−1−5−212134806138−80834246−46628613
/ use : Adminis a o /domain : lab . com / p
The success ul c ea ion o he icke is con i med by Rubeus, indica ing ha
he a acke now has he icke ha can be used o impe sona e he adminis-
a o o he speci ied se ice. The las s ep is o pass he icke on ou cu en
session wi h he command ”/p ” as shown in he igu e. This comple es he
p ocess, allowing he a acke o use he o ged icke o access he a ge ed
se ice.
25
2.5 A ack De ec ion
2.5.1 Ke be oas ing De ec ion
Ke be oas ing is an ad anced a ack me hod ha ocuses on ob aining se ice
accoun c eden ials in Ac i e Di ec o y. This a ack exploi s inhe en ulne -
abili ies in he Ke be os au hen ica ion sys em, enabling a acke s o ob ain
se ice accoun c eden ials wi hou needing ele a ed p i ileges.. A acke s can
exploi hese ulne abili ies o ob ain unau ho ized access o sensi i e da a and
po en ially escala e hei p i ileges wi hin he domain. Comp ehending he
complexi ies o Ke be oas ing and using s ong de ec ion echniques is essen ial
o p o ec ing Ac i e Di ec o y en i onmen s.
Ke be oas ing is he p ocess o ob aining Ke be os se ice icke s (TGS) o se -
ice accoun s wi hin an Ac i e Di ec o y domain. An indi idual wi h domain
use accoun has he abili y o eques hese icke s, which a e enc yp ed using
he passwo d hash o he se ice accoun . The a acke e ie es hese icke s
om he compu e ’s memo y and ies o dec yp hem o line, employing so -
wa e like hashca o John he ippe . C acking he passwo d success ully exposes
he se ice accoun ’s passwo d, gi ing he a acke en y o sys ems and pe haps
enabling hem o gain highe p i ileges, i he accoun has highe pe missions.
Tim Medin i s desc ibed his echnique a De byCon 2014, emphasizing i s
e icacy in hacking Ac i e Di ec o y domains. The a ack is especially powe ul
because o he widesp ead habi o choosing easily guessable passwo ds o se -
ice accoun s and he a e occu ence o passwo d upda es o hese accoun s,
ende ing hem ulne able. An e icien way o iden i y Ke be oas ing is o im-
plemen ho ough logging and moni o ing o Ke be os se ice icke eques s.
Con igu e Domain Con olle s o log Ke be os se ice icke eques s (E en
ID 4769) and enewals (E en ID 4770). Th ough cons an acking o hese
eco ds, companies can de ec anomalous pa e ns in se ice icke eques s, pe -
haps signaling he p esence o Ke be oas ing ope a ions (Me cal , 2017). Mo e
p ecisely, a la ge numbe o TGS eques s ha a e enc yp ed wi h RC4 can
indica e a po en ial issue, since cu en Windows sys ems usually employ AES
enc yp ion o Ke be os icke s. By il e ing logs o speci ically a ge RC4 en-
c yp ion (Ticke Enc yp ion Type 0x17), one can e ec i ely na ow down and
iden i y p obable Ke be oas ing a emp s. This s a egy is e ec i e since he
usage o RC4 enc yp ion should be limi ed in en i onmen s ha ha e AES ca-
pabili y, esul ing in RC4-enc yp ed TGS eques s an unusual occu ence ha
dese es inqui y.
Ano he c ucial pa o de ec ion in ol es moni o ing o ac ions ela ed o scan-
ning o Se ice P incipal Names (SPNs). A acke s equen ly use SPN scans
o de ec se ice accoun s ha a e ulne able o Ke be oas ing a acks. O ga-
niza ions should es ablish moni o ing ools o iden i y unexpec ed SPN que y
pa e ns and analyze hem wi h TGS que ies o de ec econnaissance ope a-
ions ha may indica e an upcoming Ke be oas ing a ack. Powe Shell sc ip s,
like hose o e ed by Impacke , can be u ilized o lis and analyze SPNs. This
makes i c ucial o adminis a o s o pe iodically e iew SPN assignmen s o
32

e i y hei necessi y and co ec managemen . Mo eo e , beha io al analy ics
can be used o iden i y pa e ns, such as a single use making se e al eques s o
TGS icke s ac oss di e en se ices wi hin a b ie pe iod o ime. Es ablishing
honeypo se ice accoun s wi h Se ice P incipal Names (SPNs) ha a e no
mean o be eques ed can se e as a highly e ec i e mechanism (Medin, 2020),
p omp ly de ec ing any endea o s o ob ain icke s o hese accoun s as mali-
cious ac i i y. In o de o educe he dange o Ke be oas ing, businesses should
implemen s ong passwo d es ic ions o se ice accoun s. Se ice accoun
passwo ds should ha e a conside able leng h, ideally exceeding 25 cha ac e s.
They should also be complex and should be changed on a egula basis. Man-
aged Se ice Accoun s (MSAs) and G oup Managed Se ice Accoun s (gMSAs)
a e ad ised due o hei abili y o au oma ically gene a e and ou inely mod-
i y complica ed passwo ds wi hou he need o manual in e en ion. E ec i e
adminis a ion and examina ion o se ice accoun s hold he same impo ance.
This means making su e ha Se ice P incipal Names (SPNs) a e alloca ed o
accoun s only when equi ed and p omp ly e oke SPNs when he co espond-
ing se ice is e mina ed. Se ice accoun s should be assigned o dedica ed
O ganiza ional Uni s (OUs) and closely moni o ed o any de ia ions om ex-
pec ed beha io . An ad anced me hod o de ec ion in ol es including Ke be os
e en logs in o a Secu i y In o ma ion and E en Managemen (SIEM) sys em .
This allows o he cen alized moni o ing o e en s, enhancing he de ec ion o
pa e ns ha indica e a Ke be oas ing a ack. SIEM solu ions can employ ana-
ly ics and machine lea ning algo i hms o iden i y hese pa e ns, imp o ing he
accu acy o de ec ion. To enhance de ec ion e iciency, i is bene icial o il e
and dec ease he numbe o 4769 e en s by il e ing se ice accoun s and p io i-
izing mal o ma ions (Splunk Th ea Resea ch Team, 2022).Enabling ho ough
Powe Shell logging and sending hese logs o a cen alized eposi o y can help
de ec he use o Powe Shell sc ip s o SPN enume a ion and icke eques s
(Me cal , 2017). E en s, such as he use o ”Ke be osReques o Secu i yToken”,
should igge ale s o u he in es iga ion. To summa ize, Ke be oas ing
is a powe ul a ack echnique ha can comp omise he c eden ials o se ice
accoun s in Ac i e Di ec o y en i onmen s. O ganiza ions can sa egua d hem-
sel es agains his h ea by comp ehending i s mechanics and implemen ing
s ong de ec ion and mi iga ion s a egies as men ioned abo e. An e ec i e
de ense agains Ke be oas ing is buil upon comp ehensi e logging, moni o ing,
and audi ing, as well as he implemen a ion o s ong passwo d policies and
he u iliza ion o managed se ice accoun s (Medin, 2020). U ilizing ad anced
de ec ion echniques, such as in eg a ing Secu i y In o ma ion and E en Man-
agemen (SIEM) and implemen ing Powe Shell logging, signi ican ly imp o es
an o ganiza ion’s capabili y o iden i y and eac o Ke be oas ing a emp s.
Consis en moni o ing and p oac i e ac ions a e c ucial o p o ec ing Ac i e
Di ec o y en i onmen s om his and o he ad anced a ack echniques.
33
2.5.2 O e pass he hash De ec ion
O e pass- he-Hash, also e e ed o as Pass- he-Key a ack, is an ad anced a -
ack me hod ha exploi s a use ’s passwo d NTLM hash o gain unau ho ized
access o ne wo k esou ces, bypassing he need o he ac ual passwo d. This
echnique le e ages he Ke be os p o ocol o gain highe le els o access and
mo e ho izon ally ac oss a ne wo k. Ha ing he abili y o iden i y and p e en
hese a acks is essen ial o main aining he secu i y o an Ac i e Di ec o y en-
i onmen . The a ack ollows a se ies o s eps: i s , he a acke gains access
o a sys em, hen hey e ie e passwo d hashes. These hashes a e hen used
o ob ain Ke be os icke s, which enable he a acke o au hen ica e and gain
access o di e en ne wo k esou ces wi hou needing he ac ual passwo ds.To
iden i y O e pass- he-Hash a acks, i is necessa y o employ a combina ion o
moni o ing and analyzing ne wo k a ic, au hen ica ion logs, and sys em be-
ha io s (Wa en, 2023). C ucial signs o such a acks consis o a ypical login
pa e ns, uncommon se ice es ablishmen , memo y sc aping ac i i ies, and an
eno mous lood o au hen ica ion eques s wi hin a b ie a ce ain ime ame.
Conduc ing su eillance o he use o ools such as Rubeus o mimika z and
he es ablishmen o unau ho ized se ices can aid in he de ec ion o po en ial
O e pass- he-Hash a acks.
Logging and moni o ing a e impo an o e ec i ely de ec ing O e pass- he-
Hash a acks (Pe i, 2024), i is essen ial o ha e a ull log o au hen ica ion
e en s in o de o iden i y hese a acks. I is ecommended o se up Ac-
i e Di ec o y en i onmen s o eco d comple e au hen ica ion e en s. Th ough
moni o ing o hese occu ences, adminis a o s ha e he abili y o de ec suspi-
cious ends (Wa en, 2023), such as an eno mous ise o au hen ica ion eques s
wi hin a b ie ime ame, which may indica e he p esence o an a ack. In
addi ion, acking o unexpec ed login imes and loca ions can aid in he iden-
i ica ion o unau ho ized access a emp s. An example o his is when a use
accoun , which usually logs in om a speci ic loca ion, suddenly begins logging
in om mul iple loca ions. This could indica e he p esence o an O e pass-
he-Hash a ack. Secu i y In o ma ion and E en Managemen (SIEM) sys ems
can be employed o collec and examine hese logs (Pe i, 2024), o e ing ins an
ale s o po en ially malicious ac ions. Pe pe a o s equen ly c ea e unusual
se ices o ensu e hei con inued p esence wi hin he ne wo k and any unusual
se ice c ea ion should be ho oughly examined. O e pass- he-Hash a acks
o en in ol e a high olume o au hen ica ion eques s in a sho pe iod. By
analyzing ne wo k a ic, adminis a o s can iden i y spikes in au hen ica ion
a ic and in es iga e he sou ce o hese eques s. Tools like In usion De-
ec ion Sys ems (IDS) and In usion P e en ion Sys ems (IPS) can be used o
moni o ne wo k a ic and de ec anomalies. Addi ionally, moni o ing o he
use o known a ack ools like Mimika z o Rubeus can help iden i y po en ial
a acks. These ools o en gene a e speci ic ne wo k a ic pa e ns ha can
be de ec ed and lagged o u he in es iga ion. Endpoin De ec ion and Re-
sponse (EDR) solu ions o e comp ehensi e insigh in o he ac ions pe o med
on endpoin s (Saydag & Moo e, 2019), enabling adminis a o s o p omp ly
34
iden i y and p e en a acks as hey occu . These solu ions ha e he capabil-
i y o moni o endpoin s o indica ions o O e pass- he-Hash a acks, such as
he a o emen ioned ools designed o ex ac ing c eden ials (Wa en, 2023).
EDR solu ions a e capable o iden i ying memo y sc aping ac i i ies, a common
echnique used o ex ac he NTLM passwo d hashes om compu e RAM.
P i ileged Access Managemen (PAM) solu ions assis in he managemen and
egula ion o p i ileged access o c ucial sys ems. Th ough he implemen a ion
o PAM, o ganiza ions can uphold he p inciple o leas p i ilege, gua an eeing
ha use s a e g an ed only he necessa y access o ca y ou hei asks. PAM
solu ions ha e he capabili y o moni o and eco d all ac i i ies ela ed o p i -
ileged access, he eby o e ing comp ehensi e audi ails o o ensic analysis.
PAM solu ions ha e he capabili y o en o ce jus -in- ime access, which means
ha use s a e g an ed empo a y access o p i ileged accoun s only when i is
necessa y. This measu e aids in mi iga ing he po en ial o c eden ial he and
unau ho ized access. O he me hod o Mi iga e his a acking wi h Ne wo k
segmen a ion ha is he p ocess o di iding a ne wo k in o smalle segmen s
(Pe i, 2024), each ha ing i s own se o secu i y con ols. O ganiza ions can
es ic he ho izon al p og ession o a acke s by di iding he ne wo k in o seg-
men s. Fo example, i is possible o seg ega e c i ical sys ems and sensi i e
da a in o isola ed segmen s ha ha e mo e s ingen access con ols, he imple-
men a ion o i ewalls and access con ols be ween segmen s can also help in he
de ec ion and p e en ion o unau ho ized access.
De ec ing and mi iga ing O e pass- he-Hash a acks equi es a mul i-laye ed ap-
p oach in ol ing comp ehensi e logging and moni o ing secu i y measu es(Saydag
& Moo e, 2019). By implemen ing s ong passwo d policies, ne wo k segmen a-
ion, PAM solu ions, and egula audi s, o ganiza ions can signi ican ly educe
he isk o such a acks. Main aining he secu i y o Ac i e Di ec o y en i on-
men s equi es cons an moni o ing and he use o complex de ec ion ools and
echniques . O ganiza ions can p o ec hemsel es agains O e pass- he-Hash
a acks and o he ad anced h ea s by s aying upda ed on he la es a ack
me hods and implemen ing s ong secu i y p ac ices.
2.5.3 Sil e icke De ec ion
Unlike Golden Ticke a acks ha a ge he Ticke G an ing Ticke (TGT),
Sil e Ticke a acks ocus on o ging Ke be os Se ice Ticke s (TGS) o spe-
ci ic se ices, allowing a acke s o gain unau ho ized access o se ice esou ces
wi hin he domain. This a ack exploi s he ac ha se ice icke s can be
c ea ed wi hou needing o in e ac wi h he Key Dis ibu ion Cen e (KDC),
making i ha de o de ec . Sil e Ticke a acks use he capabili y o impe -
sona e any se ice and gain access o i s esou ces wi hin he domain. The
a acke ini ially pene a es he ne wo k and e ie es he NTLM hash o a se -
ice accoun , using his hash, he a acke can gene a e audulen TGS icke s
ha g an con inuous and un es ic ed en y o he a ge ed se ice, a oiding
s anda d au hen ica ion measu es. The access is alid as long as he se ice
accoun passwo d emains unchanged, esul ing in a highly pe sis en a ack.
35
De ec ing Sil e Ticke a acks in ol es moni o ing o speci ic indica o s ha
sugges unau ho ized Ke be os ac i i y. Key indica o s include abno mal se -
ice icke usage pa e ns, disc epancies in icke li e imes (Me cal , 2015), and
au hen ica ion a emp s om unexpec ed loca ions and de ices. Fo ins ance,
legi ima e Ke be os icke s ha e s anda d li e imes unlike o ged icke s ha
may exhibi unusually long o cus omized li e imes. Moni o ing o icke s wi h
i egula li e imes can help iden i y po en ial Sil e Ticke ac i i y (Ganesh,
2021). Analyzing se ice icke usage pa e ns o anomalies, such as se ice
icke s eques ed by unexpec ed accoun s o om unexpec ed machines, is also
c i ical. E ec i e moni o ing o Ke be os- ela ed e en s is c ucial (Me cal ,
2015). Examining ne wo k a ic o Ke be os p o ocol ac i i y could e eal
suspicious ac ions, and u ilizing echnologies such as In usion De ec ion Sys-
ems (IDS) and Secu i y In o ma ion and E en Managemen (SIEM) sys ems
can aid in de ec ing hese unusual beha io s. Implemen ing Endpoin De ec ion
and Response (EDR) solu ions p o ides de ailed isibili y in o endpoin ac i i-
ies (Ganesh, 2021), allowing adminis a o s o de ec and espond o a acks in
eal- ime. EDR solu ions can moni o endpoin s o signs o c eden ial dumping
ools, and can de ec suspicious p ocesses and memo y accesses indica i e o an
a ack. To success ully p e en Sil e Ticke a acks, i is necessa y o imple-
men bo h p oac i e and egula measu es. En o cing s ong passwo d policies
o se ice accoun s is c i ical, passwo ds should be long, complex, and changed
egula ly. Addi ionally, using Managed Se ice Accoun s (MSAs) and G oup
Managed Se ice Accoun s (gMSAs) ha au oma ically gene a e and manage
complex passwo ds can mi iga e he isk o c eden ial he (Me cal , 2015).
Regula audi ing o se ice accoun s, ensu ing hey adhe e o s ic passwo d
policies and moni o ing hei use, helps educe he a ack su ace. Implemen ing
ne wo k segmen a ion o limi he la e al mo emen o a acke s and en o cing
s ic access con ols be ween ne wo k segmen s can con ain he impac o a Sil-
e Ticke a ack. Conduc ing egula audi s and pene a ion es ing assis s in
he iden i ica ion and esolu ion o secu i y ulne abili ies wi hin he ne wo k.
Audi s should in ol e an examina ion o passwo d ules, access con ols, and
ne wo k segmen a ion, whe eas pene a ion es ing emula es a acks o iden i y
ulne abili ies and e alua e he e icacy o secu i y sa egua ds.
In summa y, Sil e Ticke a acks p o ide a subs an ial isk o he secu i y o
Ac i e Di ec o y en i onmen s since hey enable a acke s o ge unau ho ized
access o ce ain se ices. E icien de ec ion depends on he inco po a ion o
ex ensi e logging, anomaly de ec ion, and p oac i e secu i y measu es (Ganesh,
2021). To boos hei de enses agains Sil e Ticke a acks, o ganiza ions can
g ea ly imp o e hei secu i y by implemen ing s ic passwo d egula ions, con-
duc ing equen audi s o se ice accoun s, moni o ing o abno mal login pa -
e ns, and deploying ad anced de ec ion echnologies. Con inuously ale ness
and s ong secu i y policies a e necessa y o p o ec you sys ems se ings om
his ad anced a ack.
36
2.5.4 Golden icke De ec ion
De ec ing Golden Ticke a acks is c ucial o main aining he in eg i y o Ac i e
Di ec o y (AD) en i onmen s. These a acks exploi he Ke be os au hen ica-
ion p o ocol, allowing a acke s o c ea e coun e ei Ke be os Ticke G an ing
Ticke s (TGTs) ha g an unlimi ed access o AD esou ces. The a ack hinges
on comp omising he Ke be os Key Dis ibu ion Cen e (KDC), speci ically he
k b g accoun , o o ge TGTs. Unde s anding how o de ec and mi iga e
hese a acks is i al o ensu ing obus secu i y. Golden Ticke a acks use
he capabili y o impe sona e any use and gain access o any se ice wi hin he
domain. The a acke ini ially pene a es he ne wo k and e ie es he hash o
he k b g accoun using ools such as Mimika z. Using his hash, anybody can
gene a e audulen TGTs ha g an con inuous and un es ic ed en y, a oid-
ing s anda d au hen ica ion measu es. The access is alid o e e as long as he
k b g accoun passwo d emains unchanged, esul ing in a highly pe sis en
a ack.
De ec ing Golden Ticke a acks in ol es moni o ing o speci ic indica o s ha
sugges unau ho ized Ke be os ac i i y. Key indica o s include abno mal icke
li e imes, unusual logon pa e ns, and e en logs ha signal suspicious ac i i y.
Fo ins ance, legi ima e Ke be os icke s ha e s anda d li e imes, and o ged
icke s may exhibi unusually long o cus omized li e imes (Pe i, 2024). Mon-
i o ing o icke s wi h i egula li e imes can help iden i y po en ial Golden
Ticke ac i i y. As seen on Figu e 28, he de aul li e ime o he icke is 10
yea s (As you can see on Figu e 20) on Mimika z. Howe e , i is impo an
o no e ha an a acke can modi y his pa ame e . Analyzing logon pa e ns
o anomalies, such as logons om unusual loca ions o a odd imes, is also
c i ical. A sudden su ge in logons om an adminis a i e accoun ac oss a -
ious sys ems can indica e a comp omised accoun being used wi h a Golden
Ticke (Pe i, 2024). E ec i e moni o ing o Ke be os- ela ed e en s is c ucial.
I is impo an o ca e ully examine E en IDs 4768 and 4769, as hey eco d
eques s o Ke be os au hen ica ion icke s and se ice icke s, acco dingly. An
ex ensi e numbe o hese occu ences, pa icula ly hose in ol ing p i ileged
accoun s, necessi a e u he examina ion. In addi ion, conduc ing su eillance
o i egula i ies in se ice icke ac i i y, such as se ice icke s ini ia ed by
unexpec ed use accoun s o om unexpec ed de ices, migh o e imely in-
dica ions o po en ial issues. Examining ne wo k a ic o Ke be os p o ocol
ac i i y could e eal suspicious ac ions, and u ilizing echnologies such as In u-
sion De ec ion Sys ems (IDS) and Secu i y In o ma ion and E en Managemen
(SIEM) sys ems can aid in de ec ing hese unusual beha io s (Manage Engine,
2022). Implemen ing Endpoin De ec ion and Response (EDR) solu ions p o-
ides de ailed isibili y in o endpoin ac i i ies, allowing adminis a o s o de-
ec and espond o a acks in eal- ime. EDR solu ions can moni o endpoin s
o signs o c eden ial dumping ools, and can de ec suspicious p ocesses and
memo y accesses indica i e o an ongoing Golden Ticke a ack. To success-
ully a oid Golden Ticke a acks, you need o ake bo h p oac i e s eps and
egula checks. Regula passwo d changes o he k b g accoun dis up he
37

alidi y o o ged TGTs. To make su e ha any cu en Golden Ticke s a e
no longe alid, he k b g accoun passwo d should be changed a leas e e y
six mon hs. The e mus also be s ic con ol o p i ileged accoun s. Pu ing
s ic con ols on p i ileged accoun s and making su e hey unde go pe iodic
inspec ions can help lowe isks. Using P i ileged Access Managemen (PAM)
ools o make su e ha jus -in- ime access ules a e ollowed makes secu i y
e en be e (Manage Engine, 2022). I is c ucial o p o ide secu i y aining
and knowledge o adminis a o s and secu i y s a ega ding he isks and in-
dica o s associa ed wi h Golden Ticke a acks. Consis en aining on cu en
a ack me hodologies and de ensi e echniques migh assis in main aining an
ongoing secu i y posi ion. Regula ly conduc ing audi s and pene a ion es -
ing assis s in he iden i ica ion and esolu ion o secu i y ulne abili ies wi hin
he ne wo k (Pe i, 2024). Audi s should in ol e an examina ion o passwo d
ules, access con ols, and ne wo k segmen a ion, whe eas pene a ion es ing
emula es a acks o iden i y ulne abili ies and e alua e he e icacy o secu i y
sa egua ds.
Summing up Golden Ticke a acks p o ide an impo an h ea o he secu i y
o Ac i e Di ec o y se ups as hey enable a acke s o ge p olonged and uncon-
olled en y o domain esou ces. E icien de ec ion elies on he in eg a ion o
comp ehensi e logging, anomaly de ec ion, and p oac i e secu i y measu es. To
s eng hen hei de enses agains Golden Ticke assaul s, en e p ises can g ea ly
imp o e hei secu i y by equen ly upda ing he k b g passwo d,pene a ion
es ing, adminis a o h ea aining, closely moni o ing o unusual au hen i-
ca ion pa e ns, and u ilizing ad anced de ec ion echnologies. To p o ec ac i e
di ec o y (AD) se ings om his ad anced h ea , i is c ucial o main ain con-
s an awa eness and implemen s ong secu i y measu es.
2.6 Conclusions
2.6.1 Key Issues
The esea ch conduc ed in his hesis has highligh ed se e al c i ical issues
wi hin he ealm o Ac i e Di ec o y (AD) secu i y. One o he mos signi -
ican issues is he inhe en ulne abili ies p esen in he Ke be os au hen ica-
ion p o ocol, which is ounda ional o AD ope a ions. These ulne abili ies
p o ide a acke s wi h mul iple ec o s o comp omising AD en i onmen s, as
demons a ed h ough he Ke be oas ing, O e pass- he-Hash, Sil e Ticke , and
Golden Ticke a acks.
Ke be oas ing le e ages he enc yp ion o se ice icke s o ex ac and c ack
se ice accoun c eden ials bypassing he need o highe p i ileges. This a ack
exploi s he use o weak passwo d policies and he common habi o in equen ly
changing passwo ds o se ice accoun s. The pene a ion es s demons a ed
ha upon acqui ing an au ho ized domain use accoun , an a acke can eques
se ice icke s, in e cep hem, and using ools such as Hashca o o line de-
c yp he passwo ds. The ulne abili y exploi ed in his case is he u iliza ion
38
o RC4 enc yp ion, which, despi e being ou da ed, is s ill p esen in nume ous
sys ems because o he need o main ain compa ibili y wi h olde e sions.
O e pass- he-Hash a acks use he echnique o NTLM hashes o ge Ke be os
icke s, elimina ing he equi emen o passwo ds in plain ex . This app oach
emphasizes he ulne abili y linked o NTLM hash he and he signi icance o
p o ec ing hash s o age and ansmission. The s udy showcased he me hod by
which an a acke can u ilize he NTLM hash o ge a Ticke G an ing Ticke
(TGT) and hen gain en y o o he ne wo k se ices as he comp omised use .
The ease wi h which hese hashes can be ob ained om memo y using ools like
Mimika z o o he NTLM s ealing echnics emphasizes he impo ance o s o e
he hashes by limi ing hei a ailabili y.
The Sil e Ticke a acks, which include he c ea ion o o ged se ice icke s o
a ge ed se ices wi hin he domain, demons a e an addi ional signi ican ul-
ne abili y. A acke s can gain unau ho ized access o a ge ed se ices wi hou
in e ac ing wi h he Key Dis ibu ion Cen e (KDC) by acqui ing he NTLM
hash o a se ice accoun and using i o c ea e se ice icke s and in many
cases he a acke could ge mo e p i ileges i he se ices accoun ha e. This
case highligh s he impo ance o closely moni o ing he use o se ice ick-
e s and en o cing s ic passwo d equi emen s o se ice accoun s. The ials
demons a ed ha se ice accoun s a e equen ly o e looked in secu i y audi s,
ende ing hem ulne able o such assaul s.
Golden Ticke a acks ep esen s a signi ican dange because hey can c ea e
o ged TGTs ha g an uncon olled access o he domain. The b each o he
k b g accoun , which se es as he signa o y o all Ticke G an ing Ticke s
(TGTs), enables a acke s o c ea e icke s ha can impe sona e any use and
ge access o any se ice. The esea ch demons a ed he endu ing consequences
o such an assaul , as he coun e ei icke s e ain hei alidi y un il he pass-
wo d o he k b g accoun is changed. This p oblem highligh s he signi icance
o ou inely changing he k b g accoun passwo d and keeping a close wa ch
o any i egula i ies in icke issuing and consump ion. The endu ing na u e
o such an a ack ende s i excep ionally haza dous as i migh endu e unno-
iced o p olonged du a ions, g an ing assailan s con inuous en y o domain
esou ces.
The expe imen s demons a ed ha while some de ec ion mechanisms we e e -
ec i e, many equi ed enhancemen o iden i y mo e sub le a ack pa e ns.
The s udy emphasized he signi icance o ho ough su eillance, s ong pass-
wo d egula ions, and p oac i e secu i y measu es in educing hese isks. I
also emphasized he need o con inuous educa ion and aining o IT pe son-
nel o s ay ab eas o he la es a ack echniques and de ensi e measu es. To
e ec i ely add ess he in icacy o hese a acks and he ad anced na u e o he
ins umen s employed, i is essen ial o adop a comp ehensi e secu i y s a egy
ha combines echnical and adminis a i e measu es.
39
2.6.2 Re ined Resea ch Ques ions
Based on he key issues iden i ied, he esea ch ques ions can be e ined o ad-
d ess he speci ic aspec s o Ac i e Di ec o y secu i y ha a e mos ulne able
o hese ad anced a ack echniques. The ollowing e ined esea ch ques ions
aim o guide u u e in es iga ions and p ac ical implemen a ions o secu i y
measu es:
•Wha a e he comp ehensi e secu i y measu es ha can be adop ed o
p o ec Ac i e Di ec o y en i onmen s om a combina ion o ad anced
a ack echniques?
This o e a ching ques ion aims o de elop a holis ic app oach o AD secu-
i y, in eg a ing mul iple laye s o de ense. I in ol es combining p oac i e
measu es such as s ong passwo d policies, egula audi s, secu i y ain-
ing, and he deploymen o ad anced de ec ion ools o c ea e a obus
secu i y amewo k. By add essing hese a eas, o ganiza ions can signi i-
can ly enhance hei abili y o p o ec agains a wide ange o ad anced
a ack echniques.
•How equen ly should he k b g accoun passwo d be changed o e ec-
i ely coun e ac he pe sis ence o Golden Ticke a acks, and wha a e
he bes p ac ices o moni o ing icke issuance?
This ques ion add esses he speci ic equency and p ocedu es o upda -
ing he ”k b g ” accoun passwo d. I also explo es he bes p ac ices o
moni o ing Ke be os icke issuance and de ec ing anomalies ha could
indica e a Golden Ticke a ack. Regula upda es o he ”k b g ” accoun
passwo d a e essen ial o in alida ing o ged icke s and main aining he
secu i y o he Ke be os au hen ica ion p o ocol.
•Wha measu es can en e p ises ake o enhance he secu i y o Ke be os
au hen ica ion p o ocol and educe he ulne abili ies caused by Ke -
be oas ing a acks?
This ques ion aims o explo e he speci ic con igu a ions and secu i y p ac-
ices ha can enhance he esilience o he Ke be os p o ocol agains Ke -
be oas ing. I includes in es iga ing he e ec i eness o s ong passwo d
policies, egula passwo d changes, and he use o Managed Se ice Ac-
coun s (MSAs) and G oup Managed Se ice Accoun s (gMSAs). These
measu es a e designed o make i mo e di icul o a acke s o exploi
weak passwo ds and gain access o se ice accoun s.
40
Chap e 3
Resea ch Me hodology
3.1 In oduc ion
The esea ch me hodology chap e o his hesis ou lines he s a egies, ools,
and echniques u ilized o in es iga e Ac i e Di ec o y ulne abili ies, hei ex-
ploi a ion me hods, and he co esponding de ec ion mechanisms. This chap e
is c i ical as i p o ides a s uc u ed app oach o ga he ing, analyzing, and
in e p e ing da a, ensu ing he alidi y and eliabili y o he indings.
3.2 Resea ch S a egy
The s udy app oach o his hesis en ails employing bo h quali a i e and quan-
i a i e me hods o comp ehensi ely in es iga e Ac i e Di ec o y ulne abili ies
and echniques o exploi ing hem. The quali a i e pa in ol es conduc ing a
ho ough examina ion o cu en li e a u e and indus y epo s o gain a deep
unde s anding o he heo e ical ounda ions and ope a ional consequences o
Ac i e Di ec o y secu i y. Quan i a i e app oaches a e u ilized by conduc ing
p ac ical es s in a con olled labo a o y se ing o eplica e eal-wo ld assaul
si ua ions.
The p ima y da a collec ion me hod in ol es se ing up a i ual lab en i on-
men comp ising a domain con olle , clien machine, and a acke sys ems un-
ning Kali Linux and a ious ools like Mimika z, and Rubeus. This se up allows
o he p ac ical demons a ion o a acks such as Ke be oas ing, O e pass-
he-Hash, Sil e Ticke , and Golden Ticke . Each a ack is execu ed unde
con olled condi ions o obse e he ulne abili ies exploi ed and he impac on
he Ac i e Di ec o y en i onmen .
41
10. Medin, T. (2020) De ec ing ke be oas ing, RED SIEGE.A ailable a :
h ps:// edsiege.com/ ools- echniques/2020/10/de ec ing-ke be oas ing/.
11. Splunk Th ea Resea ch Team, S. (2022) De ec ing ac i e di ec o y ke be os
a acks, Splunk . A ailable a :
h ps://www.splunk.com/en us/blog/secu i y/de ec ing-ac i e-di ec o y-ke be os-
a acks- h ea - esea ch- elease-ma ch-2022.h ml.
12. Pe i, D. (2024) O e pass he hash de ense, Sempe is. A ailable a :
h ps://www.sempe is.com/blog/how- o-de end-agains -o e pass- he-hash-a ack/.
13. Saydag, B. and Moo e, S. (2019) De ea ing pass- he-hash, blackha .com. A ail-
able a :
h ps://www.blackha .com/docs/us-15/ma e ials/us-15-Moo e-De ea ing%20Pass-
he-Hash-Sepa a ion-O -Powe s-wp.pd .
14. Wa en, J. (2023) O e pass- he-hash a ack: P inciples and de ec ion, Ne w ix
Blog. A ailable a : h ps://blog.ne w ix.com/2022/10/04/o e pass- he-hash-
a acks/.
15. Pe i, D. (2024) How o de end agains Golden Ticke a acks, Sempe is. A ail-
able a : h ps://www.sempe is.com/blog/how- o-de end-agains -golden- icke -
a acks/.
16. Manage Engine, L. (2022) Golden Ticke a ack, ManageEngine Log360. A ail-
able a : h ps://www.manageengine.com/log-managemen /cybe -secu i y/golden-
icke -a ack.h ml.
17. Me cal , S. (2015) De ec ing o ged ke be os icke (Golden Ticke & Sil e
Ticke ) use in Ac i e Di ec o y, Ac i e Di ec o y Secu i y. A ailable a :
h ps://adsecu i y.o g/?p=1515.
18. Ganesh, B. (2021) De ec ing and p e en ing a sil e icke a ack , Secu i y
In es iga ion. A ailable a : h ps://www.socin es iga ion.com/de ec ing-and-
p e en ing-a-sil e - icke -a ack/.
48

Chap e 7
Appendices
49
Lis o Figu es
1 Ha oc amewo k: Heal hy connec ion wi h windows clien com-
pu e . ................................. 9
2 A acke machine ne wo k con igu a ion. . . . . . . . . . . . . . . 10
3 Disco e y o he sql use se ice p incipal name (SPN) and i s
associa ed Ke be os icke in he lab.com domain. . . . . . . . . 11
4 Cap u ed Ke be os icke o he sql use se ice p incipal name
(SPN) on he lab.com domain. . . . . . . . . . . . . . . . . . . . 12
5 B u e- o cing he TGS wi h hashca . . . . . . . . . . . . . . . . 12
6 Hashca ou pu showing he success ul b u e- o ce c acking o he
TGS................................... 13
7 pc use in domain use s g oup. . . . . . . . . . . . . . . . . . . . 14
8 pc use access denied o con iden ial- olde on domain con olle . 14
9 pc use ’s ac i e ke be os icke s. . . . . . . . . . . . . . . . . . . 15
10 Pu ging he pc use ’s icke s. . . . . . . . . . . . . . . . . . . . . 16
11 pc use ’s wi hou ke be os icke s. . . . . . . . . . . . . . . . . . 17
12 C ea ing a TGT o ”ceo” use . . . . . . . . . . . . . . . . . . . . 18
13 TGTo ”ceo”use ........................... 19
14 Cu en session wi h ceo’s TGT. . . . . . . . . . . . . . . . . . . 20
15 The ”ceo” use is in Domain Admins g oup. . . . . . . . . . . . . 21
16 We ha e access o con iden ial- olde on he domain con olle . . 22
17 Cashed icke s o ”ceo” use TGT and TGS icke s. . . . . . . . . 23
18 Gene a ing he NTLM hash . . . . . . . . . . . . . . . . . . . . . 24
19 Sea ching o SPNs. ......................... 25
20 Rubeus c ea ing he sil e icke . . . . . . . . . . . . . . . . . . . 25
21 Rubeusou pu ............................. 26
22 Rubeus sil e icke . . . . . . . . . . . . . . . . . . . . . . . . . . 26
23 Sil e icke cashed on ou cu en session. . . . . . . . . . . . . . 27
24 Pc use a emp s o access a sha ed esou ce. . . . . . . . . . . . 28
25 SID o he LAB.COM domain. . . . . . . . . . . . . . . . . . . . 29
26 C ea ing golden icke wi h domain admin HTLM hash using
Mimika z................................ 30
27 Passing he golden icke on ou cu en session. . . . . . . . . . 30
28 Golden icke on ou cu en session. . . . . . . . . . . . . . . . . 31
29 We can access he ”C:” d i e on he domain con olle . . . . . . . 31
50
1 Ne wo k opology o he i ual lab en i onmen . . . . . . . . . . 51
7.1 Desc ip ion o Lab En i onmen
The i ual lab was se up using Hype -V Wo ks a ion on Azu e labs. The lab
consis s o a Domain Con olle unning Windows Se e 2019 (IP: 192.168.50.20/24),
a clien machine unning Windows 10 p o (IP: 192.168.50.30/24), and an a -
acke machine unning Kali Linux (IP: 192.168.50.10/24). The ollowing ha d-
wa e speci ica ions we e used:
•Domain Con olle : 4GB RAM, 2 CPUs
•Windows 10 p o Clien : 4GB RAM, 2 CPUs
•Kali Linux A acke : 4GB RAM, 2 CPUs
7.2 Ne wo k Topology
Figu e 1: Ne wo k opology o he i ual lab en i onmen .
51
7.3 Tools and Sc ip s
1. Ha oc: h ps://gi hub.com/Ha ocF amewo k/Ha oc
2. Mimika z: h ps://gi hub.com/Pa o Sec/mimika z
3. Rubeus: h ps://gi hub.com/Ghos Pack/Rubeus
4. Impacke : h ps://gi hub.com/ o a/impacke
5. Ge Use SPNs.py Sc ip :
h ps://gi hub.com/ o a/impacke /blob/mas e /examples/Ge Use SPNs.py
6. Ge Use SPNs.ps1 Sc ip :
h ps://gi hub.com/nidem/ke be oas /blob/mas e /Ge Use SPNs.ps1
7. Hashca : h ps://gi hub.com/hashca /hashca
8. Hashca Documen a ion: h ps://hashca .ne /wiki/doku.php?id=hashca
Rockyou Wo dlis :
h ps://gi hub.com/p ae o ian-inc/Hob0Rules/blob/mas e /wo dlis s/ ockyou. x .gz
7.4 Glossa y o Te ms
•DC: Domain Con olle .
•AD: Ac i e Di ec o y.
•TGT: Ticke G an ing Ticke , a icke used in Ke be os au hen ica ion.
•TGS: Ticke G anding Se ice, a icke used in Ke be os au hen ica ion.
•SPN: Se ice P incipal Name, a unique iden i ie o a se ice ins ance.
•KDC: Key Dis ibu ion Cen e , a ne wo k se ice ha issues Ke be os
icke s.
•AES: Ad anced Enc yp ion S anda d, A symme ic enc yp ion algo i hm.
•B u e Fo ce A ack: A hacking me hod ha uses ial and e o o c ack
passwo ds, login c eden ials, and enc yp ion keys.
•Hash: Assign a nume ic o alphanume ic s ing o (a piece o da a) by
applying a unc ion whose ou pu alues a e all he same numbe o bi s
in leng h.
•Passwo d Policy: A se o ules designed o enhance secu i y by encou -
aging use s o employ s ong passwo ds.
52
•A ack Su ace: The se o poin s on he bounda y o a sys em, a sys em
elemen , o an en i onmen whe e an a acke can y o en e , cause an
e ec on, o ex ac da a om, ha sys em, sys em elemen , o en i on-
men .
•Ne wo k Segmen a ion: An a chi ec u e ha di ides a ne wo k in o smalle
sec ions o subne s.
•Honeypo : A honeypo is a ne wo k-a ached sys em se up as a decoy
o lu e cybe a acke s and de ec , de lec and s udy hacking a emp s o
gain unau ho ized access o in o ma ion sys ems.
53