Pass-the-ticket (PtT) is the technique of injecting a Kerberos ticket directly into a Windows logon session so that subsequent Kerberos-authenticated requests use it automatically. RubeusDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
ptt calls the LsaCallAuthenticationPackage API to import a KRB_CRED structure — either decoded from a base64 blob or read from a .kirbi file on disk — into the target logon session cache. By default the ticket lands in your own session; supplying /luid redirects it into any other session on the machine, which requires SYSTEM or equivalent privileges.
Flags
The Kerberos ticket to inject. Accepts either a base64-encoded
.kirbi blob or a path to a .kirbi file on disk. This flag is mandatory — the command exits immediately without it.The Logon Session ID (LUID) of the target logon session, expressed as a hex value (e.g.
0x1234ab). When omitted Rubeus injects into the current session. Targeting any other LUID requires an elevated (high-integrity) process.Examples
Inject from a base64-encoded ticket blob
The most common workflow after adump or tgtdeleg run: copy the printed base64 string and inject it directly.
Inject from a .kirbi file on disk
If you already have a.kirbi file (e.g. saved by Mimikatz’s kerberos::list /export or Rubeus /outfile):
Inject into a specific logon session (elevated)
First find the LUID you want to target withRubeus.exe triage, then pass it here:
Rubeus accepts either a raw base64 string or a file path for
/ticket. If the value is a valid base64 string it is decoded in memory; if not, Rubeus checks whether it is a path to an existing file. Any other input produces an error.