.. / Impacket-PsExec-PassTheTicket
Star

Impacket’s psexec.py offers psexec like functionality. This will give you an interactive shell on the Windows host. psexec.py also allows using Service Tickets, saved as a ccache file for Authentication. It can be obtained via Impacket’s GetST.py. Important to mention is that Kerberos prefers hostnames instead of IP’s, therefore specify -target-ip.

Command Reference:

Target hostname: backup01.test.local

Target IP: 10.10.10.1

Domain controller: 10.10.10.111

Domain: test.local

Username: john (his ticket is in cache)
Command: Copy Extra code: Copy References:

https://github.com/SecureAuthCorp/impacket/blob/master/examples/psexec.py

https://www.sans.org/blog/psexec-python-rocks/

https://book.hacktricks.xyz/windows/active-directory-methodology/pass-the-ticket#pass-the-ticket-attack