The Windows security world is abuzz about Kerberos "golden ticket" attacks in the wake of a seminal presentation at Black Hat USA 2014, the best overview I've seen on the subject.
In a nutshell, if you have domain admin/local admin access on an Active Directory forest/domain, you can manipulate Kerberos tickets to get unauthorized access. A golden ticket attack is one in which you create a Kerberos-generating ticket that is good for 10 years or however long you choose.
[ It's time to take another look at security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
You can be anyone (assuming you have their hash), add any account to any group (including highly privileged groups), and for that matter do anything you within Kerberos authentication capabilities. You can even create usable Kerberos tickets for user/computer/service accounts that don't even exist in Active Directory.
A golden ticket isn't merely a forged Kerberos ticket -- it's a forged Kerberos key distribution center.
Selling wolf tickets
The author of the Mimikatz hacking tool, Benjamin Delpy, is a smart guy. He's uncovered a lot of the innards of how Kerberos works on Windows clients. Most of what he publicly revealed I've known for a long time (as does anyone who spends a lot of time with Kerberos), but the details were not widely publicized. Plus, he taught me a few new things and came up with a cool tool (Mimikatz) to make it all work. Kudos to Delpy.
I don't think Delpy is an evil guy, even if his tool is giving Active Directory administrators around the world heartburn. Mimikatz is already the choice of malicious hackers around the globe, and this new feature, the golden ticket, will ensure it's used even more. Make no mistake, the golden ticket attack will be used to own domains around the globe. Friends and customers are already asking what they can do to detect and mitigate, reminding me very much of the early days of pass-the-hash attacks.
Here's my reply.
The problem isn't Delpy, Mimikatz, golden ticket attacks, or even Kerberos. It's the fact that a bad guy has complete and utter ownership of your domain or forest. With local admin/domain admin credentials, the bad guy can do anything.
This is the same reply I gave friends and customers when PtH (pass-the-hash) attacks started making the rounds. But hearing readers go on and on about how PtH attacks were so dangerous and how they considered it their No. 1 problem made me reconsider my approach. Last year I decided that even if I knew I was logically right, if my customers thought PtH attacks were their top problem, I'd have to adjust my attitude -- so I did.
But now we're in version two of credential theft attacks (that is, the "golden ticket") and I'm tired of playing whack-a-mole. It will never work.