The article discusses the vulnerabilities in Active Directory (AD) arising from the use of Kerberos authentication, highlighting two new attack techniques: the Diamond Ticket and Sapphire Ticket attacks. Researchers detail how these techniques allow hackers to obtain unauthorized access to AD resources. The Sapphire Ticket attack, in particular, represents an evolution of the Diamond Ticket attack, permitting stealthier exploitation through intricate manipulation of Privilege Attribute Certificates (PACs).
Affected: Active Directory, Cybersecurity Sector
Affected: Active Directory, Cybersecurity Sector
Keypoints :
- Broad usage of Active Directory (AD) has made it a target for hackers.
- New attack techniques include Diamond Ticket and Sapphire Ticket attacks.
- Diamond Tickets modify the PAC of a legitimate ticket, while Sapphire Tickets replace PACs with those from other privilege users.
- Sapphire Ticket attacks involve multiple steps, including authenticating with the KDC and obtaining a PAC for a high-privilege user.
- The key requirement for creating Sapphire Tickets is having the domainβs krbtgt hash, but DOMAIN_SID and DOMAIN_RID are not needed.
- S4U2Self and U2U extensions play a crucial role in executing these attacks without requiring a Service Principal Name (SPN).
- The exploitation phase requires access to the KRBTGT hash, often obtained via compromised privileged credentials.
- Metasploit can be used to forge Kerberos tickets using various techniques including Sapphire Tickets.
- Effective domain security and monitoring of Kerberos tickets and requests are vital to prevent these types of attacks.
- The article emphasizes the need for tight controls within domain security to mitigate risks from such vulnerabilities.
Full Story: https://www.hackingarticles.in/sapphire-ticket-attack-abusing-kerberos-trust/