RODC Golden tickets

Theory

With administrative access to an RODC, it is possible to dump all the cached credentials, including those of thekrbtgt_XXXXX account. The hash can be used to forge a "RODC golden ticket" for any account in the msDS-RevealOnDemandGroup and not in the msDS-NeverRevealGroup attributes of the RODC. This ticket can be presented to the RODC or any accessible standard writable Domain Controller to request a Service Ticket (ST).

When presenting a RODC golden ticket to a writable (i.e. standard) Domain Controller, it is not worth crafting the PAC because it will be recalculated by the writable Domain Controller when issuing a service ticket (ST).

Practice

For the moment, no tool is available to only forge a RODC Golden Ticket from UNIX-like systems.

The secret ingredient for making an RODC golden ticket viable is including the correct key version number in the kvno field of the ticket.
(Elad Shamir on specterops.io)

Resources

https://adsecurity.org/?p=3592

https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/

Reconnaissance

Movement

Credentials

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Netlogon

Certificate Services (AD-CS)

SCCM / MECM

Exchange services

Print Spooler Service

Schannel

Built-ins & settings

Kerberos

Certificate Services (AD-CS)

HTTP security headers

Identity and Access Management

File inclusion

LFI to RCE

Initial access (protocols)

Windows

UNIX-like

(AV) Anti-Virus

Mifare Classic

Android

RODC Golden tickets

Theory

Practice

Resources

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Certificate Services (AD-CS)

SCCM / MECM

Certificate Services (AD-CS)

HTTP security headers

File inclusion

LFI to RCE

Windows

UNIX-like

Mifare Classic

RODC Golden tickets ​

Theory ​

Practice ​

Resources ​

RODC Golden tickets

Theory

Practice

Resources