mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-23 03:23:44 +00:00
13 lines
983 B
Markdown
13 lines
983 B
Markdown
# Harvesting tickets from Windows
|
||
|
||
In Windows, tickets are **handled and stored by the lsass** \(Local Security Authority Subsystem Service\) process, which is responsible for security. Hence, to retrieve tickets from a Windows system, it is necessary to **communicate with lsass and ask for them**. As a **non-administrative user only owned tickets can be fetched**, however, as machine **administrator**, **all** of them can be harvested. For this purpose, the tools **Mimikatz or Rubeus** can be used as shown below:
|
||
|
||
```
|
||
mimikatz # sekurlsa::tickets /export
|
||
.\Rubeus dump
|
||
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))
|
||
```
|
||
|
||
**This information was taken from:** [**https://www.tarlogic.com/en/blog/how-to-attack-kerberos/**](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/)****[
|
||
](https://app.gitbook.com/@cpol/s/hacktricks/~/drafts/-LhAFG7vZpkSqhe9Wmev/primary/todo/pentesting-kerberos-88/harvesting-tickets-from-windows)
|
||
|