Skill

conducting-pass-the-ticket-attack

Guides red-teaming Pass-the-Ticket attacks: extract Kerberos tickets from LSASS, inject via Mimikatz/Rubeus, enable lateral movement without passwords. For authorized pentests mapping MITRE T1550.003.

Python

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

> **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Conducting Pass-the-Ticket Attack

Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

Overview

Pass-the-Ticket (PtT) is a lateral movement technique that uses stolen Kerberos tickets (TGT or TGS) to authenticate to services without knowing the user's password. By extracting Kerberos tickets from memory (LSASS) on a compromised host, an attacker can inject those tickets into their own session to impersonate the ticket owner and access resources as that user.

When to Use

When conducting security assessments that involve conducting pass the ticket attack
When following incident response procedures for related security events
When performing scheduled security testing or auditing activities
When validating security controls through hands-on testing

Prerequisites

Familiarity with red teaming concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

MITRE ATT&CK Mapping

T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1003.001 - OS Credential Dumping: LSASS Memory
T1558 - Steal or Forge Kerberos Tickets
T1021.002 - Remote Services: SMB/Windows Admin Shares

Workflow

Phase 1: Ticket Extraction

Gain local admin access on target workstation
Dump Kerberos tickets from LSASS memory using Mimikatz or Rubeus
Export tickets in .kirbi format (Mimikatz) or base64 (Rubeus)
Identify high-value tickets (Domain Admin TGTs, service tickets to critical systems)

Phase 2: Ticket Injection

Purge existing Kerberos tickets from attacker session
Import/inject stolen ticket into current session
Verify ticket is loaded and valid
Access target resources using injected ticket

Phase 3: Lateral Movement

Access remote systems using the stolen ticket identity
Perform actions as the impersonated user
Collect additional credentials from accessed systems
Document evidence of successful lateral movement

Tools and Resources

Tool	Purpose	Command
Mimikatz	Ticket export/import	sekurlsa::tickets /export, kerberos::ptt
Rubeus	Ticket dumping and injection	dump, ptt, tgtdeleg
Impacket ticketConverter	Convert between formats	ticketConverter.py ticket.kirbi ticket.ccache
Impacket psexec/smbexec	Remote execution with ticket	KRB5CCNAME=ticket.ccache psexec.py

Detection Indicators

Event ID 4768 with unusual client addresses
Event ID 4769 service ticket requests from unexpected hosts
TGT usage from different IP than the TGT was issued to
Multiple authentications from same ticket across different workstations

Validation Criteria

Kerberos tickets extracted from compromised host
Tickets injected into attacker session
Lateral movement demonstrated using stolen tickets
Evidence captured for reporting