mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-22 11:03:24 +00:00
12 lines
980 B
Markdown
12 lines
980 B
Markdown
# Harvesting tickets from Windows
|
||
|
||
In Windows, tickets are **handled and stored by the lsass** (Local Security Authority Subsystem Service) process, which is responsible for security. Hence, to retrieve tickets from a Windows system, it is necessary to **communicate with lsass and ask for them**. As a **non-administrative user only owned tickets can be fetched**, however, as machine **administrator**, **all **of them can be harvested. For this purpose, the tools **Mimikatz or Rubeus** can be used as shown below:
|
||
|
||
```
|
||
mimikatz # sekurlsa::tickets /export
|
||
.\Rubeus dump
|
||
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))
|
||
```
|
||
|
||
**This information was taken from:** [**https://www.tarlogic.com/en/blog/how-to-attack-kerberos/**](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/)****[\
|
||
](https://app.gitbook.com/@cpol/s/hacktricks/\~/drafts/-LhAFG7vZpkSqhe9Wmev/primary/todo/pentesting-kerberos-88/harvesting-tickets-from-windows)
|