Pass-the-Ticket (PtT) Attacks

overview

Description

Pass the Ticket is a credential theft technique that enables adversaries to use stolen Kerberos tickets to authenticate to resources (e.g., file shares and other computers) as a user without having to compromise that user’s password. Adversaries often use this technique to move laterally through an organization’s network to hunt for opportunities to escalate their privileges or fulfil their mission.

Both ticket-granting service (TGS) tickets and ticket-granting tickets (TGT) can be stolen and reused by adversaries. Without administrative privileges, an adversary can obtain the TGT (using “fake delegation”) and all TGS tickets for the current user. With administrative privileges, an adversary can dump the LSASS process and obtain all TGTs and TGS tickets cached on the system.

Reference: https://www.netwrix.com/pass_the_ticket.html

Tasks

Lab Environment

In this lab environment, GUI access to a Domain User called Research/Student on a Windows Server 2012 machine, which serves as your workstation. The workstation is vulnerable to Pass the Ticket attack.

Your task is to execute a Pass-The-Ticket attack. By performing this attack, you will impersonate a user's session by reusing the Kerberos tickets, with the ultimate aim of accessing resources and escalating privileges within the Active Directory environment.

Objective: Execute a Pass-The-Ticket (PtT) attack by impersonating a user session, and gaining unauthorized access to escalate privileges within the Active Directory environment.

Below are the tasks that you need to perform:

  • Task 1: Conducting Reconnaissance

  • Task 2: Attack Implementation

  • Task 3: Export Kerberos ticket

  • Task 4: Check Domain Controller Access

Tools

The best tools for this lab are:

  • PowerView

  • Invoke-Mimikatz

  • HFS

Solution

Step 1: Open the lab link to access the following:

Workstation

Content Image

Task 1: Conducting Reconnaissance

What is Powerview?

PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various Windows "net *" commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.

Reference: https://powersploit.readthedocs.io/en/latest/Recon/#powerview

It seems like we have a directory called C:\Tools that contains the necessary tools for enumeration and exploitation.

Note: Run powershell as administrator.

Content Image

Step 1: Set Working Directory

Change the directory to C:\Tools by running the following command.

Command:

Content Image

The prompt will now show the directory has switched to C:\Tools.

Step 2: Enable execution policy bypass and import the PowerView module.

Command:

Content Image

This command starts a new PowerShell session with the execution policy bypassed, allowing you to run scripts that may otherwise be blocked.

The dot is followed by a space and the script's path (.\PowerView.ps1) executes the script within the current PowerShell session. Ensure that the PowerView.ps1 script is located in the current directory (C:\Tools).

Step 3: Discover Machines with Local Admin Access

In this step, we use PowerView's Find-LocalAdminAccess function. This function checks each machine in the current user's domain to see where the current user has local administrator access, which can be valuable for lateral movement.

Command:

Content Image

The command will return a list of machines to which the current user has local admin access.

Step 4: Enter a PowerShell Session

Now that we have identified a target machine (seclogs.research.SECURITY.local), we can start a PowerShell session on it. We use the Enter-PSSession command to do this.

Command:

Content Image

Enter a PowerShell Session.

Task 2: Attack Implementation

Step 5: Set Up HTTP File Server (HFS) and Share Mimikatz.

What is HFS?

HTTP File Server (HFS) is a free, open-source file-sharing tool that uses the HTTP protocol to host files on a personal computer. This server is mainly used for quickly and easily sharing files across a network, eliminating the need for cloud-based third-party services or dedicated hardware.

Now we need to share Invoke-Mimikatz to the target machine i.e. seclogs.research.security.local.

First, initiate the HFS application. To do this, navigate to your explorer, proceed to the directory C:\Tools, and launch HFS.exe.

Content Image

With HFS up and running, the next step is to add Invoke-Mimikatz. This step is crucial, as it hosts the file on your machine, making it accessible for download by the user logged into the target machine - seclogs.research.security.local

Content Image

Through this process, the HFS becomes a conduit for transferring necessary files like Invoke-Mimikatz to the target machine, driving the next steps in the Pass-The-Ticket attack.

Step 6: Download and Execute Invoke-Mimikatz

Now we need to download and execute Invoke-Mimikatz on the target machine. We do this using PowerShell's ability to download scripts and execute them in memory.

Command:

Content Image

The iex (Invoke-Expression) command runs the downloaded Invoke-Mimikatz script in memory.

Step 7: Export the TGS ticket

With Invoke-Mimikatz fully operational, we're equipped to perform the crucial task of extracting all Kerberos tickets tied to our current session. This is accomplished by utilizing the potent sekurlsa::tickets /export command.

Command:

Content Image

Upon successful execution of the command, the Kerberos tickets are meticulously harvested and stored locally. This seamless extraction provides us with a treasure trove of tickets - key instruments for accessing diverse resources within the network.

After the extraction, it becomes crucial to accurately identify the procured tickets. For this purpose, we instruct the system to display the names of the exported tickets:

Command:

Content Image

This final action confirms the successful extraction, providing us with the precise names of each ticket acquired, which can serve as a guide for future actions.

Extracted ticket: [0;2c1c7][email protected]

To use this ticket for gaining access:

Command:

Content Image

Upon successful execution of this command, the extracted ticket is introduced into our current session, enabling us to impersonate the user the ticket belongs to. This is a significant step towards gaining unauthorized access and escalating privileges within the network.

Task 3: Export Kerberos ticket

Step 8: Reviewing the Kerberos Tickets using klist

We can then check the current Kerberos tickets in the session using klist, a command-line tool that lists all the Kerberos tickets of the session.

Command:

Content Image

By running klist, we can analyze the obtained tickets, and identify their attributes such as the ticket lifetimes, renew till times, flags, encryption types, and associated session details. This valuable information aids in planning the next steps of our operations.

Task 4: Check Domain Controller Access

Step 9: Verify the access

Finally, we verify our access to the Domain Controller by attempting to list the contents of the C$ share on the DC.

Command:

Content Image

If the command successfully returns a list of files, it indicates that we have access to Domain Controller.

Conclusion

In this lab, we navigated the complexities of a Pass The Ticket (PtT) attack within an Active Directory environment. Using tools like PowerView and Invoke-Mimikatz, we demonstrated the stages of this attack, from enumerating network resources, and extracting Kerberos tickets, to verifying access rights.

References:

PreviousAD Lateral Movement: Pass-the-Hash (PtH) AttacksNextpersistence: AD - Silver Ticket

Last updated