Kerberoasting 101 – A golden ticket to Disneyland

Imagine the best amusement park that you’ve heard of or ever been to. The plethora of rides they offer, the ambrosial food available at the food stalls, enthralling games to play, etc. But like all good things in this world, the amusement park, with all its rides and glory comes with a cost. One has to buy a ticket to get in, buy tokens to get on a ride, buy coupons to treat yourself with the delicious food.

Imagine now, that you get a special ticket of your dream amusement park which essentially makes anything and everything in the park, totally free for you! Not only that, the ticket has another special ability through which you can, in turn, generate similar tickets, so that your friends too can enjoy the amusement park for free!

This might be possible in real life only if you’re a multimillionaire (or better else, the owner of the amusement park). In the world of information security, having such access is a very prominent and one of the most dangerous attacks which is termed as the ‘Golden ticket’ attack.

A golden ticket, much like the golden ticket from WillyWonka, is an attack, where the attacker gains access to literally every system in the network. In this post, I will try to create an analogy of the golden ticket attack with the amusement park example to have a better understanding of the attack.

Hence, coming back to the amusement park, let us look at the ticketing system of one such place- Disneyland. Here, you have different kinds of entry tickets available. Starting from single-day tickets, multi-day tickets, special-day tickets, annual passports, etc. Each of these tickets come with their own perks; the costlier the tickets, the higher the perks. Each ticket has its own unique number or bar-code for authentication and identification for the originality of the ticket as well as to ascertain the benefits which the ticket holders can enjoy using that particular ticket.

kerberos_disneyland ticket

Now, what if you were to use this one time ticket and somehow turn it into a golden ticket? For that, we need to understand the authentication process of the ticketing system. A particular ticket would give information about its type, its validity, and the kind of rides it is eligible to work for. These features, are engraved in the ticket when it is made by the “Ticket Generator”, or a person or a machine which makes these tickets. Let us call the person who is given the role to handle these tickets once they are generated, as the “Ticket Master”. The ticket master would be special people in the working staff of Disneyland who would have some special privileges – that is, they would have access to special accounts through which they can manage the sale and use of the tickets. Now in order to assist the ticket masters in knowing which rides are available for a particular ticket category, Disneyland has made a document (let’s name it service document) where they enlist the facilities or benefits of each ticket. We can assume this document to be password protected and something like the below in format.

Ticket No. Name Rides Eligible
12345 John Doe Big thunder mountain railroad, Peter Pan’s Flight
67890 Jane Doe Pirates of the Carribean, Splash Mountain, Jungle Cruise

Therefore, with this document, the ticket master can look at the ticket and determine if the person is eligible to use a particular ride. But what if here our John Doe who has a ticket with access to ‘Big thunder mountain railroad’ and ‘Peter Pan’s Flight’ only, wants to go for the ‘Pirates of the Carribean’ ride? When he goes to the entry for this ride, the ticket master would look at this service document, match John’s ticket and the services they are eligible for and on finding that it does not have eligibility for the Pirates’ ride, would deny John the ride.

But John Doe is crafty and determined to not only enjoy the rides available on his ticket but also all the other rides being offered at Disneyland. So he plans to get a golden ticket created for himself! But how can he do this? Let’s take a look.

  1. First, John doe starts by getting initial access to Disneyland. He then has to somehow steal one of the ID cards of the workers at Disneyland. The ID card needn’t be of anyone with special privileges. John can very well get an ID card to enter the staff area and then use that ID card to further gain special privileges. Let us assume John manages to get his hands on the ID card of one of the employees working at one of the rides of Disneyland. Obviously, this ID card cannot help him get access to any of the rides, but it will allow him to get into the area which is usually reserved for staff personnel.
  2. Now once inside the staff area, John can look around and do some reconnaissance. He can assess all the different types of staff at Disneyland. He can identify who are the gatekeepers, the maintenance crew, the security, the ticket masters for each ride, etc.
  3. From this information, John quickly realizes which are the person of interest (the ticket masters of the rides) and who are the people whom he needs to avoid as much as he can (namely, the security guards).
  4. Now that John has identified the ticket masters, he has to somehow gain access to one of their IDs. But the tickets masters are smart. They all have a unique code to differentiate one another and which tells which ride a particular ticket master is assigned duty to. John, having just a simple staff ID, cannot have access to this information.
  5. So John would try to elevate his privileges. He would go and look at the register where every ticket masters’ name and the corresponding ride services are assigned and written. The register is kept at a place called a service account.
  6. John, very secretively, while hiding from the security personnel, gets into this account and checks the register or the notebook for the names of the ticket masters and the services assigned to them. Let us call this register where the names are written as Service Principal Name(SPN) register.
  7. Once John has access to the SPN, he can identify which services or rides are eligible for which ticket, who is the ticket master for the particular ride and what ticket numbers have used the ride. There is still one problem. The names and all the information in the register are not written in a language readable by John, but some other abstruse dialect. But John has a powerful tool with him called Mimikatz (Visualize it as an all in one Google translate which can detect the language in which the information is written and convert it into a language readable by John).
  8. With the help of Mimikatz, now John knows exactly which are the tickets which have access to the “Pirates of the Carribean” ride.
  9. John also learns about the ticket masters’ details. He can now impersonate one of the ticket masters and ask for a ticket directly from the ticket generator (remember the ticket generator was the system which made the tickets and distributed it to the ticket masters for use). The ticket generator would obviously have its own ‘workshop’ from where it prints these tickets. Let’s name this workshop as KRBTGT or a Kerberos ticket generator. Since John now has access to the ID of the ticket master, using this he now goes to see the ticket generator system and ask for his share of tickets he is assigned to manage.
  10. But while he is at it, he also reads the manual on how to run the KRBTGT ticket generator itself. Again the manual is written in such a language that John cannot possibly understand anything. But Mimikatz once again comes to his rescue. Using Mimikatz, John translates the operation manual of the KRBTGT account and understands how the generator prints the ticket.
  11. Now John not only has access to the ticket master and their assigned ride tickets, he knows how to print those tickets! He can now print as many tickets with any kind of ride access as he wants. He can even register new staff employees (new users) with elevated privileges of the ticket masters (administrator privilege accounts). John has now access to the ticket generator itself. John now has what is called the Golden Ticket.golden ticket
    (Disclaimer – The golden ticket attack explained above has been simplified in order to give the reader an overview of the golden ticket attack.)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s