Pass the Ticket (PtT)
In this attack, we use a stolen Kerberos ticket to move laterally. It can be:
- Service Ticket (TGS - Ticket Granting Service) to allow access to a particular resource.
- Ticket Granting Ticket (TGT), which we use to request service tickets to access any resource the user has privileges.
Harvesting Kerberos Tickets from Windows
On Windows, tickets are processed and stored by the LSASS (Local Security Authority Subsystem Service) process. Therefore, to get a ticket from a Windows system, you must communicate with LSASS and request it.
As a non-administrative user, you can only get your tickets, but as a local administrator, you can collect everything.
Mimikatz - Export Tickets
Rubeus
If running as Local admin it will dump all the tickets. Rubeus dump, instead of giving us a file, will print the ticket encoded in base64 format.
Another interesting command:
Forge your own tickets with Pass the Key or OverPass the Hash
The traditional pass-the-hash technique involves reusing a hash through the NTLMv1/NTLMv2 protocol, which doesn't touch Kerberos at all. The Pass the Key or OverPass the Hash approach converts a hash/key (rc4_hmac, aes256_cts_hmac_sha1, etc.) for a domain-joined user into a full Ticket-Granting-Ticket (TGT).
Note: Mimikatz requires administrative rights to perform the Pass the Key/OverPass the Hash attacks, while Rubeus doesn't.
Mimikatz - Pass the Key or OverPass the Hash
It requires administrative rights.
1. Get hashes with sekurlsa::ekeys
To forge our tickets, we need to have the user's hash; we can use Mimikatz to dump all users Kerberos encryption keys using the module sekurlsa::ekeys. This module will enumerate all key types present for the Kerberos package.
Now that we have access to the AES256_HMAC and RC4_HMAC keys, we can perform the OverPass the Hash or Pass the Key attack using Mimikatz and Rubeus.
2. Pass the Key or OverPass the Hash
This will create a new cmd.exe window that we can use to request access to any service we want in the context of the target user.
Rubeus - Pass the Key or OverPass the Hash
It does not require administrative rights.
This is not the case, but if we would want to crack the ticket, we could use kirbi2john and hashcat to proceed.
Pass the Ticket (PtT) with Rubeus
Now that we have some Kerberos tickets, we can use them to move laterally within an environment.
With /ptt
With Rubeus we performed an OverPass the Hash attack and retrieved the ticket in base64 format. Instead, we could use the flag /ptt to submit the ticket (TGT or TGS) to the current logon session.
With kirbi file
With kirbi in base64
We can also use the base64 output from Rubeus or convert a .kirbi to base64 to perform the Pass the Ticket attack. We can use PowerShell to convert a .kirbi to base64.
Convert .kirbi to Base64 Format:
Using Rubeus, we can perform a Pass the Ticket providing the base64 string instead of the file name.
Pass the Ticket (PtT) with mimikatz
Pass The Ticket with PowerShell Remoting (Windows)
PowerShell Remoting allows us to run scripts or commands on a remote computer.
Administrators often use PowerShell Remoting to manage remote computers on the network.
Enabling PowerShell Remoting creates both HTTP and HTTPS listeners.
To create a PowerShell Remoting session on a remote computer, you must: - have administrative permissions, - be a member of the Remote Management Users group, - or have explicit PowerShell Remoting permissions in your session configuration.
With mimikatz
With Rubeus
1. Create a Sacrificial Process with Rubeus
Rubeus has the option createnetonly, which creates a sacrificial process/logon session (Logon type 9).
2. Rubeus - Pass the Ticket for Lateral Movement
Execute Rubeus to request a new TGT with the option /ptt to import the ticket into our current session:
Another way to import the ticket:
3. Either with mimikatz or Rubeus, once we import the ticket we can connect to the DC using PowerShell Remoting.
Last update: 2025-01-19 Created: January 18, 2025 19:59:20