Attack Technique 2: Pass the Ticket: Use of Alternate Authentication Material (T1550)

Pass-the-Ticket (PtT) Attacks: Exploiting the Kerberos Authentication Protocol

Pass-the-Ticket (PtT) is a sophisticated attack technique that exploits the Kerberos authentication protocol by leveraging stolen Ticket Granting Tickets (TGTs). This method allows attackers to gain unauthorized access to network resources, bypassing the need for user passwords and traditional access controls.

Understanding the Kerberos Authentication Protocol

The Kerberos protocol is designed to provide secure authentication within a network. Two key components of Kerberos are:

  1. Ticket Granting Ticket (TGT):

    • Issued by the Domain Controller (DC) after successful user authentication.

    • Contains session details, including the user’s session key, group memberships, and privileges.

    • Encrypted using the user's password hash and stored in the user's memory.

  2. Service Ticket:

    • Generated by the DC when a user requests access to a specific service.

    • Contains a session key for the requested service, encrypted with the user’s session key.

Pass-the-Ticket Attack Mechanism

The PtT attack involves three key stages:

  1. Acquisition of TGTs:

    • Attackers acquire TGTs through credential dumping tools (e.g., Mimikatz), phishing, or exploiting Kerberos vulnerabilities.

  2. Requesting Service Tickets:

    • Using the stolen TGTs, attackers request service tickets from the DC to gain access to specific services.

  3. Authentication to Target Systems:

    • Attackers use the service tickets to authenticate to target systems, granting unauthorized access to sensitive resources.

Impact and Risks of Pass-the-Ticket Attacks

  1. Lateral Movement:

    • Attackers can move across the network using a single stolen TGT, accessing multiple systems and services.

  2. Privilege Escalation:

    • By impersonating privileged accounts, attackers can execute actions that compromise the network’s security.

  3. Data Exfiltration:

    • Unauthorized access to sensitive data can lead to significant breaches, data theft, and reputational damage.

Tools and Techniques to Perform Pass-the-Ticket Attacks

Tool 1: Mimikatz

Mimikatz is a widely used post-exploitation tool for PtT attacks. Below are the main steps:

Step 1: Capturing Kerberos Tickets

  • Command:

    privilege::debug
sekurlsa::tickets /export

    • Extracts TGTs from memory and exports them as .kirbi files.

Step 2: Reusing the Ticket

  • Command:

    kerberos::ptt C:\KerberosTickets\Alice@krbtgt-DOMAIN.COM.kirbi

    • Injects the stolen TGT into the attacker's session.

Step 3: Discovering Privileges

  • Command:

    net user Alice /domain

    • Displays the user’s group memberships and privileges.

Step 4: Accessing Network Resources

  • Use built-in OS utilities (e.g., PsExec, PowerShell) for lateral movement and executing commands on remote systems.

Tool 2: PowerShell (Invoke-WMIExec)

  • Enables remote command execution using Kerberos tickets.

  • Example Command:

    Invoke-WmiExec -target <IP> -hash <TGT_hash> -username Alice -command hostname

Tool 3: Evil-WinRM

  • Facilitates remote code execution using Windows Remote Management (WinRM) and stolen Kerberos tickets.

  • Example Command:

    evil-winrm -u Alice -H <NTLM_hash> -i <target_IP>

Detection Methods for Pass-the-Ticket Attacks

To detect PtT attacks, organizations should monitor specific Windows Event IDs:

  1. Event ID 4768: A TGT was requested.

    • Key Fields: Account Name, Service Name, Client Address.

  2. Event ID 4769: A service ticket was requested.

    • Key Fields: Account Name, Service Name.

  3. Event ID 4770: A service ticket was renewed.

    • Key Fields: Account Name, Service Name.

Log Analysis Techniques:

  • Monitor for multiple TGT requests from the same account within a short period.

  • Look for service ticket requests from unusual accounts or locations.

  • Correlate events to identify abnormal patterns, such as tickets requested for high-privilege accounts from untrusted IPs.

Mitigation Techniques for Pass-the-Ticket Attacks

  1. Enable Windows Defender Credential Guard:

    • Protects credentials in LSASS memory using virtualization-based security.

    • Prevents tools like Mimikatz from extracting Kerberos tickets.

  2. Limit Administrative Privileges:

    • Apply the Principle of Least Privilege to reduce the number of privileged accounts.

  3. Randomize Local Administrator Passwords:

    • Use Local Administrator Password Solution (LAPS) to ensure unique passwords across machines.

  4. Implement Multi-Factor Authentication (MFA):

    • Adds an extra layer of security, making it difficult for attackers to authenticate using only Kerberos tickets.

  5. Monitor and Audit Logs:

    • Regularly review logs for suspicious activities related to Kerberos authentication.

  6. Regular Updates and Patching:

    • Keep systems and applications updated to close vulnerabilities that could be exploited to dump credentials.

  7. Enforce Strong Password Policies:

    • Require complex, regularly changed passwords to reduce the likelihood of credential theft.

Conclusion

Pass-the-Ticket attacks pose a significant risk to enterprise security by exploiting weaknesses in the Kerberos authentication protocol. Understanding the PtT attack lifecycle, combined with the use of tools like Mimikatz and Evil-WinRM, helps illustrate how attackers gain unauthorized access and move laterally across networks.

Organizations must implement robust detection and mitigation strategies, including Credential Guard, log monitoring, and MFA, to protect against these advanced threats. By enhancing their security posture, businesses can safeguard their systems and data from the severe consequences of PtT attacks.

PreviousAttack Technique 1: Pass the Hash: Use of Alternate Authentication Material (T1550)NextAttack Technique 3: Kerberoasting

Last updated