In the context of the CompTIA PenTest+ certification, the Pass-the-Ticket (PtT) attack is a sophisticated post-exploitation technique used primarily for lateral movement within a Windows Active Directory (AD) environment. Unlike Pass-the-Hash, which relies on NTLM hashes, PtT targets the Kerberos a…In the context of the CompTIA PenTest+ certification, the Pass-the-Ticket (PtT) attack is a sophisticated post-exploitation technique used primarily for lateral movement within a Windows Active Directory (AD) environment. Unlike Pass-the-Hash, which relies on NTLM hashes, PtT targets the Kerberos authentication protocol.
The core mechanism involves an attacker seizing an existing Kerberos ticket—specifically a Ticket-Granting Ticket (TGT) or a Ticket-Granting Service (TGS)—from the Local Security Authority Subsystem Service (LSASS) memory of a compromised system. Because Kerberos uses these tickets as proof of identity, an attacker who extracts a valid ticket can "pass" it to the authentication system to gain access to network resources without ever needing the user's plaintext password.
Common tools used for this attack include Mimikatz (specifically the sekurlsa::tickets module) and Rubeus. Once a machine is compromised and local administrator or SYSTEM privileges are obtained, the pen tester can dump the cached tickets. These tickets are then injected into the current session, allowing the attacker to impersonate the user (often a Domain Admin) associated with that ticket.
Two notable variations often discussed in this domain are the "Golden Ticket" and "Silver Ticket" attacks. A Golden Ticket involves forging a TGT using the domain’s KRBTGT account hash, granting indefinite persistence and total control over the domain. A Silver Ticket involves forging a TGS for specific services on specific servers.
For a penetration tester, mastering PtT is crucial for demonstrating how a minor breach can escalate to a full domain compromise. Remediation strategies often focus on limiting the lifespan of TGTs, restricting privileged account logins to secure workstations, and implementing Windows Defender Credential Guard to protect the LSASS process.
Pass-the-Ticket Attacks
Why it is Important: Pass-the-Ticket (PtT) attacks are critical concepts in the CompTIA PenTest+ curriculum because they represent a sophisticated method of lateral movement within a Windows Active Directory environment. Unlike attacks that require cracking passwords, PtT allows an attacker to masquerade as a legitimate user using captured authentication tokens. This makes it a stealthy and highly effective post-exploitation technique used by Advanced Persistent Threats (APTs) to escalate privileges and access sensitive resources without knowing the actual user credentials.
What it is: Pass-the-Ticket is an attack where an intruder captures a valid Kerberos Ticket-Granting Ticket (TGT) or Service Ticket (TGS) from a compromised system and uses it to authenticate to other network systems. It relies on the Kerberos authentication protocol, distinguishing it from Pass-the-Hash, which utilizes NTLM hashes. By injecting these stolen tickets into their current session, the attacker bypasses the authentication server (KDC) checks regarding the user's password.
How it Works: The attack generally follows this workflow: 1. Compromise: The attacker gains administrative or SYSTEM level access to a Windows host. 2. Harvesting: Using tools like Mimikatz (specifically the `sekurlsa::tickets` command) or Rubeus, the attacker extracts Kerberos tickets stored in the LSASS (Local Security Authority Subsystem Service) memory. 3. Injection: The attacker uses the tool to inject the stolen ticket (cached in memory or saved as a .kirbi file) into their current session (e.g., `kerberos::ptt`). 4. Access: The operating system now treats the attacker's session as the user associated with the ticket, granting access to file shares, remote management services, or other domain resources.
There are two famous variations of forged ticket attacks often grouped here: - Golden Ticket: The attacker forges a TGT using the hash of the domain's krbtgt account, granting unlimited access to the entire domain. - Silver Ticket: The attacker forges a TGS for a specific service on a specific server.
Exam Tips: Answering Questions on Pass-the-Ticket Attacks When analyzing scenario-based questions on the PenTest+ exam, look for these keywords and differentiators: - Protocol Identifier: If the scenario mentions Kerberos, TGT, or TGS, the answer is likely Pass-the-Ticket. If it mentions NTLM, it is likely Pass-the-Hash. - Tools: Look for references to Mimikatz, Rubeus, or Impacket. - Goal: Questions focusing on Lateral Movement or accessing resources without cracking passwords often point to PtT. - Expiration: Remember that tickets have an expiration time (usually 10 hours). If a question asks about the limitations of a stolen ticket compared to a password, the time-to-live (TTL) of the ticket is a key factor.