Skip to content

RODC Golden tickets

Theory

With administrative access to an RODC, it is possible to dump all the cached credentials, including those of thekrbtgt_XXXXX account. The hash can be used to forge a "RODC golden ticket" for any account in the msDS-RevealOnDemandGroup and not in the msDS-NeverRevealGroup attributes of the RODC. This ticket can be presented to the RODC or any accessible standard writable Domain Controller to request a Service Ticket (ST).

When presenting a RODC golden ticket to a writable (i.e. standard) Domain Controller, it is not worth crafting the PAC because it will be recalculated by the writable Domain Controller when issuing a service ticket (ST).

Practice

For the moment, no tool is available to only forge a RODC Golden Ticket from UNIX-like systems.

The secret ingredient for making an RODC golden ticket viable is including the correct key version number in the kvno field of the ticket.

(Elad Shamir on specterops.io)

Resources

https://adsecurity.org/?p=3592

https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/