Pass the ticket
Mimikatz
1.Dump all tickets from memory from the compromised system.
Condition: To export the tickets, we need administrative privilege on the target system, at least as Local Administrator.
SEKURLSA::tickets - Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD computer account. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users). - ADSecurity.org
2. Transfer the .kirbi ticket over our attacker machine.
3. Convert the ticket format
Use the script impacket-ticketConverter
to convert the .kirbi ticket into .ccache ticket. This aim to convert the ticket between Linux and Windows format.
4. Export the ticket for Impacket use
5. Execute commands
Now that our ticket has been exported, we can use the ticket to execute remote commands on the target system.
-k
: Tells Impacket to use the Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters
-no-pass
: To avoid prompting for a password
Example of executing remote command via psexec
Example of requesting Kerberos hashes
Last updated