ask
kerberos::ask can be used to obtain Service Tickets. The Windows native command is klist get. It has the following command line arguments:
  • /tkt: save the ST (Service Ticket) to a .tkt file
  • /export : export the TGS to a .kirbi file
  • /rc4 : use an RC4 key
  • /des : use a DES key
  • /aes256 : use an AES256 key (it is the default key)
  • /aes128 : use an AES128 key
  • /target : The target SPN/FQDN
  • /nocache: tells Mimikatz not to cache the ticket in the current session
1
mimikatz # kerberos::ask [email protected]~HACKLAB.LOCAL-HACKLAB.LOCAL.kirbi /target:CIFS/dc.hacklab.local
2
Asking for: CIFS/dc.hacklab.local
3
* Ticket Encryption Type & kvno not representative at screen
4
5
Start/End/MaxRenew: 18/11/2021 01:47:30 ; 18/11/2021 11:47:30 ; 25/11/2021 01:47:30
6
Service Name (02) : CIFS ; dc.hacklab.local ; @ HACKLAB.LOCAL
7
Target Name (02) : CIFS ; dc.hacklab.local ; @ HACKLAB.LOCAL
8
Client Name (01) : m3g9tr0n ; @ HACKLAB.LOCAL
9
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
10
Session Key : 0x00000012 - aes256_hmac
11
9905bb3a8b7b45f9c841983c7a7e3e0c0cc197e879fd6933a70f29227c6c8e21
12
Ticket : 0x00000012 - aes256_hmac ; kvno = 0 [...]
Copied!
Check if the ST was injected in the current session:
1
mimikatz # kerberos::list
2
3
[00000000] - 0x00000012 - aes256_hmac
4
Start/End/MaxRenew: 18/11/2021 01:47:30 ; 18/11/2021 11:47:30 ; 25/11/2021 01:47:30
5
Server Name : krbtgt/HACKLAB.LOCAL @ HACKLAB.LOCAL
6
Client Name : m3g9tr0n @ HACKLAB.LOCAL
7
Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
8
9
[00000001] - 0x00000012 - aes256_hmac
10
Start/End/MaxRenew: 18/11/2021 01:47:30 ; 18/11/2021 11:47:30 ; 25/11/2021 01:47:30
11
Server Name : CIFS/dc.hacklab.local @ HACKLAB.LOCAL
12
Client Name : m3g9tr0n @ HACKLAB.LOCAL
13
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Copied!
Request a ST for HTTP/dc.hacklab.local with an RC4 key:
1
mimikatz # kerberos::ask /rc4 [email protected]~HACKLAB.LOCAL-HACKLAB.LOCAL.kirbi /target:HTTP/dc.hacklab.local
2
Asking for: HTTP/dc.hacklab.local
3
* Ticket Encryption Type & kvno not representative at screen
4
5
Start/End/MaxRenew: 18/11/2021 02:08:15 ; 18/11/2021 11:47:30 ; 25/11/2021 01:47:30
6
Service Name (02) : HTTP ; dc.hacklab.local ; @ HACKLAB.LOCAL
7
Target Name (02) : HTTP ; dc.hacklab.local ; @ HACKLAB.LOCAL
8
Client Name (01) : m3g9tr0n ; @ HACKLAB.LOCAL
9
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
10
Session Key : 0x00000017 - rc4_hmac_nt
11
31186422cb60b903003c8aa0bc1cb384
12
Ticket : 0x00000017 - rc4_hmac_nt ; kvno = 0 [...]
Copied!
Last modified 6mo ago
Copy link