About me
Edit

Pass the Ticket (PtT) from Windows

Harvesting Kerberos Tickets from Windows

Rubeus - Export Tickets

Rubeus.exe dump /nowrap

Mimikatz - Export Tickets

mimikatz.exe
privilege::debug
sekurlsa::tickets /export
exit

  • The tickets that end with $ correspond to the computer account, which needs a ticket to interact with the Active Directory.

  • User tickets have the user's name,

    • followed by an @ that separates the service name and the domain, for example: [randomvalue][email protected].

  • We can also export tickets using Rubeus and the option dump

    • This option can be used to dump all tickets (if running as a local administrator).

  • Rubeus dump, instead of giving us a file, will print the ticket encoded in base64 format. We are adding the option /nowrap for easier copy-paste.

  • Another advantage of abusing Kerberos tickets is the ability to forge our own tickets. Let's see how we can do this using the OverPass the Hash or Pass the Key technique.

Pass the Key or OverPass the Hash

  • The traditional Pass the Hash (PtH) technique involves reusing an NTLM password hash that doesn't touch Kerberos

  • The Pass the Key or OverPass the Hash approach converts a hash/key (rc4_hmac, aes256_cts_hmac_sha1, etc.) for a domain-joined user into a full Ticket-Granting-Ticket (TGT).

  • To forge our tickets, we need to have the user's hash

    • we can use Mimikatz to dump all users Kerberos encryption keys using the module sekurlsa::ekeys

Mimikatz - Extract Kerberos Keys

Mimikatz - Pass the Key or OverPass the Hash

Rubeus - Pass the Key or OverPass the Hash

Pass the Ticket (PtT)

Rubeus Pass the Ticket

  • Another way is to import the ticket into the current session using the .kirbi file from the disk.

Rubeus - Pass the Ticket

Convert .kirbi to Base64 Format

  • Using Rubeus, we can perform a Pass the Ticket providing the base64 string instead of the file name.

Pass the Ticket - Base64 Format

Mimikatz - Pass the Ticket

Pass The Ticket with PowerShell Remoting (Windows)

  • PowerShell Remoting allows us to run scripts or commands on a remote computer.

    • Administrators often use PowerShell Remoting to manage remote computers on the network

    • Enabling PowerShell Remoting creates both HTTP and HTTPS listeners.

      • The listener runs on standard port TCP/5985 for HTTP and TCP/5986 for HTTPS.

  • To create a PowerShell Remoting session on a remote computer, you must have administrative permissions, be a member of the Remote Management Users group, or have explicit PowerShell Remoting permissions in your session configuration.

    • Suppose we find a user account that doesn't have administrative privileges on a remote computer but is a member of the Remote Management Users group. In that case, we can use PowerShell Remoting to connect to that computer and execute commands.

Mimikatz - PowerShell Remoting with Pass the Ticket

Rubeus - PowerShell Remoting with Pass the Ticket

  • The above command will open a new cmd window.

  • From that window, we can execute Rubeus to request a new TGT with the option /ptt to import the ticket into our current session and connect to the DC using PowerShell Remoting.

Rubeus - Pass the Ticket for Lateral Movement

PreviousKerberosNextFTP Bounce Attack

Last updated