Pass the Ticket

In overpass the hash we got the TGT and then used it for authenticating using kerberos. The only drawback is that it can be used only from the machine that it was generated. Also, If the service account that we target is not an administrative account then the previous 2 methods don't work

Pass the ticket uses TGS so that once the ticket is generated it can be exported and used from any other machine. This provides the following advantages,

  • No administrative privileges are required, if the service ticket belongs to the current user

  • We can choose the machine from which machine to use the ticket from

In the "Creating & Cracking TGS" section we got our hands on the password to the Service Account. With this we can craft our own ticket with the necessary permissions that we desire, so this is called the silver ticket.

The point of this exercise is we can access any resource that this service account has access to.

We also need the Security Identifier (SID) of the domain to create the ticket,

whoami /user

The output will be somthing like this,

S-1-5-21-1602875587-2787523311-2599479668-1103

and the highlighted text is the identifier.

Once within mimikatz execute the following command,

kerberos::golden /user:Current_User /domain:Ad-Domain_name /sid:S-1-5-21-1602875587-2787523311-2599479668 /target:complete_SPN_of_Service /service:HTTP /rc4:E2B475C11DA2A0748290D87AA966C327 /ptt

rc4 - The password hash of the service. Plain password cannot be used and the hash has to be calculated to be used with this command.

The following command can be used to generate NTLM from password,

python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<password>".encode("utf-16le")).digest())'

Last updated