Since the 1990s, Windows administrators have been plagued with Pass-the-Hash (PTH) attacks. These attacks exploit password hashes and allow hackers to hijack local administrator accounts.
Newer Windows operating systems mitigated the PTH threat to a great degree. However, hackers evolved with the technology into new attack vectors. Last year, a different type of cyber attack gained notoriety for its ability to target Kerberos, the default authentication protocol in Windows 2000 and later domains.
Lesser known than its cousin Pass-the-Hash, this newer attack, dubbed Pass-the-Ticket, is just as dangerous. Using toolkits such as Mimikatz and Windows Credentials Editor (WCE), hackers can develop Pass-the-Ticket attacks that move through the network by copying tickets from compromised end-user machines, or from a delegated authorization server.
Launching Pass-the-Ticket Attacks
You can typically launch Pass-the-Ticket attacks in one of two ways:
- The hacker steals a Ticket Granting Ticket or Service Ticket from a Windows machine and uses the stolen ticket to impersonate a user, or
- The hacker steals a Ticket Granting Ticket or Service Ticket by compromising a server that performs authorization on the users’ behalf.
Once the attacker extracts one of these tickets, he can leverage it to gain lateral movement within the network. He can seek out additional permissions and steal sensitive data.
What’s the End Game of Pass-the-Ticket Attacks?
It gets even more ominous though. The eventual goal of Pass-the-Ticket could be to steal the hash of the krbtgt account on a domain controller. This is the account used by Kerberos to encrypt Ticket Granting Tickets. Once in possession of this password hash, a hacker could create unlimited tickets, granting any level of access, with virtually unlimited lifetimes. This is the so-called Golden Ticket, which according to security researcher Roger Grimes “isn’t merely a forged Kerberos ticket — it’s a forged Kerberos key distribution center.”
Learn more about defending against Golden Tickets exploits. Download the whitepaper Mitigating Golden Ticket Attacks.
In general, you can’t block Pass-the-Ticket exploits with standard cyber security defenses. That’s because local and domain password changes don’t invalidate compromised tickets. And while multifactor authentication is typically a sound verification practice, Pass-the-Ticket exploits bypass it altogether.
Instead, protecting against Pass-the-Ticket requires a different approach on the part of IT. Here are three steps in a Pass-the-Ticket defense process:
- Stabilize the IT Environment: As stated above, Pass-the-Ticket attacks exploit the default authentication in Windows domains. That allows hackers to impersonate users or processes to gain lateral movement on a network. To counter this attack, you need to reduce the attack surface of your network. That involves enforcing frequent, automated credentials updates and secure escalation to impede lateral movement. Start by removing weak, shared local administrator logins. Replace them with cryptographically complex, unique and frequently changing credentials. And then audit access to the credentials.
- Enforce Secure Privileged Escalation: Further reduce your attack surface by minimizing the presence of highly privileged logins that attackers can use to gain control of your network. Consider a privileged identity management solution that grants users delegated privileged access, and gives authorized administrators temporary membership in pre-defined groups with elevated privileges. These measures limit the ability of cyber attackers to access additional network resources after they’ve exploited a computer or impersonated a user through Pass-the-Ticket.
- Rapid Remediation Process: Establish, in advance, a process to remove attackers’ access to compromised systems. You can accomplish this through a system that changes passwords twice on potentially compromised machines. The two password resets force immediate replication of changed credentials everywhere on the domain to block the use of compromised tickets. The password resets can be used in conjunction with automatic, chained reboots of managed machines after user escalation, or after changes to systems are implemented using escalated credentials. At Lieberman Software we call this process a Security DoubleTap™. It clears the system memory of hashes and passwords on compromised machines to curtail further access.
Want to learn more about defeating pass-the-ticket attacks? Download our whitepaper Mitigating Golden Ticket Attacks.