RODC Golden tickets

Theory

With administrative access to an , it is possible to dump all the cached credentials, including those of thekrbtgt_XXXXX account. The hash can be used to forge a "RODC golden ticket" for any account in the msDS-RevealOnDemandGroup and not in the msDS-NeverRevealGroup attributes of the RODC. This ticket can be presented to the RODC or any accessible standard writable Domain Controller to request a Service Ticket (ST).

When presenting a RODC golden ticket to a writable (i.e. standard) Domain Controller, it is not worth crafting the PAC because it will be recalculated by the writable Domain Controller when issuing a service ticket (ST).

Practice

For the moment, from UNIX-like systems no tool is available to only forge a RODC Golden Ticket.

From Windows systems, (C#) can be used for this purpose.

Rubeus.exe golden /rodcNumber:$KBRTGT_NUMBER /flags:forwardable,renewable,enc_pa_rep /nowrap /outfile:ticket.kirbi /aes256:$KRBTGT_AES_KEY /user:USER /id:USER_RID /domain:domain.local /sid:DOMAIN_SID

The secret ingredient for making an RODC golden ticket viable is including the correct key version number in the kvno field of the ticket.
(By Elad Shamir on )

Resources

PreviousSapphire tickets NextMS14-068

Last updated 1 year ago

Was this helpful?