Pass-the-Ticket attack involves stealing and reusing Kerberos authentication tickets instead of passwords or hashes. This attack exploits weaknesses in the Kerberos protocol, which is widely used in Windows Active Directory environments, allowing attackers to impersonate legitimate users.

MITRE ATT&CK ID: T1550.003

1- Kerberos Authentication Overview

• Key Components:

  • Key Distribution Center (KDC):

    Issues authentication tickets.

  • Ticket Granting Ticket (TGT):

    Obtained during initial login; used to request access tickets.

  • Service Ticket (ST):

    Provides access to specific network services (e.g., file shares, databases).

• Login Process:

  1. User Authentication:

     The user authenticates with the KDC and receives a TGT.

  2. Ticket Request:

     The TGT is then used to request Service Tickets for accessing various services.

2- Steps of a PtT Attack

a. Initial Access

• Objective:

  The attacker gains control of a system in the target environment through methods such as phishing, exploiting vulnerabilities, or other means.

b. Ticket Extraction

• Process:

  The attacker dumps Kerberos tickets stored in the system's memory (typically within the LSASS process).

• Common Tool:

  • Mimikatz

    Example Command:

    mimikatz # kerberos::list
    

c. Ticket Reuse

• Method:

  The attacker injects the stolen ticket into their session to impersonate the victim and access network resources without needing the password.

• Example Command:

  mimikatz # kerberos::ptt <ticket.kirbi>
  

d. Lateral Movement and Privilege Escalation

• Outcome:

  With a valid ticket injected, the attacker can access privileged resources and move laterally within the network.

3- Key Tools for PtT Attacks