Pass the Ticket
Last updated
Last updated
Adversaries may 'pass the ticket' using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the Ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
In this technique, valid Kerberos tickets for Valid Accounts are captured by OS Credential Dumping. A user's service tickets or ticket granting ticket (TGT) may be obtained, depending in the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.
Silver Ticket can be obtained for services that user Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).
Golden Ticket can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.
Example
This demonstration will also cover Silver Tickets
Now on this scenario we have a share inaccessible by our domain user that we currently hold DC\Dwinchester. But we are aware of another user that can.
Jwinchester, this being since the users is part of the Data Engineers Group
And that folder has permissions for that user. We can see that our current user has no permissions to even check the
permissions itself.
Since it's a DB folder we try to search for a user that has DB permissions we already know this with Jwinchester.
John is the perfect candidate, now let's get a ticket for this account. We will use a tool to grab SPNs
And Request the Ticket
We will then export the tickets and crack them offline. Crack the ticket and convert it to an NTLM Hash for Demo purposes this is already done.
Create the Silver Ticket
And remember the share we had no access too?. We can now enumerate the files on the Share
References: