# Pass the Ticket

Adversaries may 'pass the ticket' using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the Ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.

In this technique, valid Kerberos tickets for Valid Accounts are captured by OS Credential Dumping. A user's service tickets or ticket granting ticket (TGT) may be obtained, depending in the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.

Silver Ticket can be obtained for services that user Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).

Golden Ticket can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.

**Example**

This demonstration will also cover Silver Tickets

Now on this scenario we have a share inaccessible by our domain user that we currently hold **DC\Dwinchester**. But we are aware of another user that can.

**Jwinchester**, this being since the users is part of the Data Engineers Group

![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MSWLMhdod3w_bh_XElq%2F-MSWLPTwoqV4qsbpYnHJ%2Fimage.png?alt=media\&token=7c3081b7-90ee-4246-9b14-019755963cbb)

![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MSWLMhdod3w_bh_XElq%2F-MSWLQvz7aWS-DsEcrVg%2Fimage.png?alt=media\&token=1363438c-dc59-41c4-866a-757b2031b226)

And that folder has permissions for that user. We can see that our current user has no permissions to even check the

permissions itself.

![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MSWLMhdod3w_bh_XElq%2F-MSWLS8OcK41qWqNTA2O%2Fimage.png?alt=media\&token=edc392b6-2332-4180-8ff5-d9d5754ee8ec)

Since it's a DB folder we try to search for a user that has DB permissions we already know this with Jwinchester.

![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MSWLMhdod3w_bh_XElq%2F-MSWLTIm-DORLsGhUcfK%2Fimage.png?alt=media\&token=2946790c-ac06-42dd-8740-9940bf5ee69d)

John is the perfect candidate, now let's get a ticket for this account. We will use a tool to grab SPNs

![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MSWLMhdod3w_bh_XElq%2F-MSWLUFAGrnUG-aFXorF%2Fimage.png?alt=media\&token=1e83c8f7-6fd3-40ff-95f1-3e98ca349ab5)

And Request the Ticket

![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MSWLMhdod3w_bh_XElq%2F-MSWLVHWfoMeBg-zyZt9%2Fimage.png?alt=media\&token=5dbca13a-8821-4bce-8e24-08e4f6621a06)

We will then export the tickets and crack them offline. Crack the ticket and convert it to an NTLM Hash for Demo purposes this is already done.

![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MSWLMhdod3w_bh_XElq%2F-MSWLX4aMAsIvJj7QFYd%2Fimage.png?alt=media\&token=d61b1a74-72e3-4dcf-8ff5-3d7609e2ebe9)

Create the Silver Ticket

![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MSWLMhdod3w_bh_XElq%2F-MSWLY5yPicBOKJsxX9F%2Fimage.png?alt=media\&token=1091921c-f263-4eb1-8972-552247dbdfb5)

And remember the share we had no access too?. We can now enumerate the files on the Share

![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MSWLMhdod3w_bh_XElq%2F-MSWLZEMrDvk6md6JuTT%2Fimage.png?alt=media\&token=a892a63c-9be3-4bd9-abe6-267ac22904aa)

References:

{% embed url="<https://attack.stealthbits.com/silver-ticket-attack-forged-service-tickets>" %}

{% embed url="<https://www.dsinternals.com/en/downloads/>" %}

{% embed url="<https://adsecurity.org/?p=2011>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1550-use-alternate-authentication-material/pass-the-ticket.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.