The "Dollar Ticket Attack" / Name confusion in Kerberos

This page attempts to document the "Dollar Ticket Attack" on Active Directory servers and clients.

Other related issues

There are many other security issues, some related, that come form the same tree, including:

• Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923)

CVEs and Announcements of the Nov 2021 issues

• Samba CVE-2020-25717 A user in an AD Domain could become root on domain members

• Samba CVE-2020-25719 Samba AD DC did not always rely on the SID and PAC in Kerberos tickets.

• Microsoft CVE-2021-42287 KB5008380—Authentication updates

• CERT NZ Announcement of AD DC security issue and patch

Talks

• SambaXP: The inside story on the dollar ticket attack - Youtube Video PDF (longer)

• Kawaiicon: Live stream replay @ Youtube PDF without embedded video (shorter, more focus on the remaining still open issues)

Blogs

• Stay Curious: Lessons from the Dollar-ticket security issue
• Catalyst Samba team fixes critical Microsoft security issue

Documentation

• MS-KILE 3.3.5.6.1 Client Principal Lookup
• RFC 4120 The Kerberos Network Authentication Service (V5)
• RFC6806 Kerberos Principal Name Canonicalization and Cross-Realm Referrals