Pass the Ticket (PtT) from Windows
Last updated
Last updated
Rubeus - Export Tickets
Mimikatz - Export Tickets
The tickets that end with $ correspond to the computer account, which needs a ticket to interact with the Active Directory.
User tickets have the user's name,
followed by an @ that separates the service name and the domain, for example: [randomvalue]-username@service-domain.local.kirbi.
We can also export tickets using Rubeus and the option dump
This option can be used to dump all tickets (if running as a local administrator).
Rubeus dump, instead of giving us a file, will print the ticket encoded in base64 format. We are adding the option /nowrap for easier copy-paste.
Another advantage of abusing Kerberos tickets is the ability to forge our own tickets. Let's see how we can do this using the OverPass the Hash or Pass the Key technique.
The traditional Pass the Hash (PtH) technique involves reusing an NTLM password hash that doesn't touch Kerberos
The Pass the Key or OverPass the Hash approach converts a hash/key (rc4_hmac, aes256_cts_hmac_sha1, etc.) for a domain-joined user into a full Ticket-Granting-Ticket (TGT).
To forge our tickets, we need to have the user's hash
we can use Mimikatz to dump all users Kerberos encryption keys using the module sekurlsa::ekeys
Mimikatz - Extract Kerberos Keys
Mimikatz - Pass the Key or OverPass the Hash
Rubeus - Pass the Key or OverPass the Hash
Rubeus Pass the Ticket
Another way is to import the ticket into the current session using the .kirbi file from the disk.
Rubeus - Pass the Ticket
Convert .kirbi to Base64 Format
Using Rubeus, we can perform a Pass the Ticket providing the base64 string instead of the file name.
Pass the Ticket - Base64 Format
Mimikatz - Pass the Ticket
Administrators often use PowerShell Remoting to manage remote computers on the network
Enabling PowerShell Remoting creates both HTTP and HTTPS listeners.
The listener runs on standard port TCP/5985 for HTTP and TCP/5986 for HTTPS.
To create a PowerShell Remoting session on a remote computer, you must have administrative permissions, be a member of the Remote Management Users group, or have explicit PowerShell Remoting permissions in your session configuration.
Suppose we find a user account that doesn't have administrative privileges on a remote computer but is a member of the Remote Management Users group. In that case, we can use PowerShell Remoting to connect to that computer and execute commands.
The above command will open a new cmd window.
From that window, we can execute Rubeus to request a new TGT with the option /ptt to import the ticket into our current session and connect to the DC using PowerShell Remoting.
Rubeus - Pass the Ticket for Lateral Movement
technique was developed by Benjamin Delpy and Skip Duckwall in their presentation
allows us to run scripts or commands on a remote computer.