Guides Pass-the-Ticket (PtT) attacks: extract Kerberos tickets from LSASS memory using Mimikatz/Rubeus, inject for impersonation and lateral movement in red-team exercises.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
票据传递(PtT)是一种横向移动技术,使用窃取的 Kerberos 票据(TGT 或 TGS)在不知道用户密码的情况下向服务进行认证。通过从已控制主机的内存(LSASS)中提取 Kerberos 票据,攻击者可以将这些票据注入自己的会话,以模拟票据所有者身份并以该用户身份访问资源。
Guides conducting Pass-the-Ticket attacks for red-teaming: extract Kerberos tickets from LSASS with Mimikatz/Rubeus, inject for passwordless lateral movement.
Guides red-teaming Pass-the-Ticket attacks: extract Kerberos tickets from LSASS, inject via Mimikatz/Rubeus, enable lateral movement without passwords. For authorized pentests mapping MITRE T1550.003.
Detects Kerberos Pass-the-Ticket attacks in Splunk/Elastic SIEM by analyzing Windows event IDs 4768/4769/4771 for anomalies like cross-host ticket reuse, RC4 downgrades, and unusual request volumes.
Share bugs, ideas, or general feedback.
票据传递(PtT)是一种横向移动技术,使用窃取的 Kerberos 票据(TGT 或 TGS)在不知道用户密码的情况下向服务进行认证。通过从已控制主机的内存(LSASS)中提取 Kerberos 票据,攻击者可以将这些票据注入自己的会话,以模拟票据所有者身份并以该用户身份访问资源。
| 工具 | 用途 | 命令 |
|---|---|---|
| Mimikatz | 票据导出/导入 | sekurlsa::tickets /export, kerberos::ptt |
| Rubeus | 票据转储和注入 | dump, ptt, tgtdeleg |
| Impacket ticketConverter | 格式转换 | ticketConverter.py ticket.kirbi ticket.ccache |
| Impacket psexec/smbexec | 使用票据远程执行 | KRB5CCNAME=ticket.ccache psexec.py |