Cached Kerberos tickets
MITRE ATT&CK™ Steal or Forge Kerberos Tickets - Technique T1558
Last updated
Was this helpful?
MITRE ATT&CK™ Steal or Forge Kerberos Tickets - Technique T1558
Last updated
Was this helpful?
In Windows, tickets are handled and stored by the process, which is responsible for security. Hence, to retrieve tickets from a Windows system, it is necessary to communicate with lsass and ask for them. As a non-administrative user only owned tickets can be fetched, however, as machine administrator, all of them can be harvested using tools like Mimikatz, Rubeus or Giuda.
is a native Windows tool that can display a list of currently cached Kerberos tickets.
From an Unix attacking machine, we can remotely dump tickets using (python).
We also can do it manually by dumping LSASS memory using one of this techniques, exfiltrate the dump on our attacking machine, and then retrieve tickets using .
Using tools like Giuda , we can avoid dumping LSASS memory. With the , we can read LSA storage, extract the SESSION KEY from TGT, and forge a request asking for a TGS; We must use LUID instead of Username.
can be use to requests a TGS on behalf of another user (without password)
