mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-22 02:53:28 +00:00
980 B
980 B
Harvesting tickets from Windows
In Windows, tickets are handled and stored by the lsass (Local Security Authority Subsystem Service) process, which is responsible for security. Hence, to retrieve tickets from a Windows system, it is necessary to communicate with lsass and ask for them. As a non-administrative user only owned tickets can be fetched, however, as machine administrator, **all **of them can be harvested. For this purpose, the tools Mimikatz or Rubeus can be used as shown below:
mimikatz # sekurlsa::tickets /export
.\Rubeus dump
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))
This information was taken from: https://www.tarlogic.com/en/blog/how-to-attack-kerberos/