30Ara
How does the Pass-The-Ticket attack work?
Generally, for a TGS request, we are required to have the corresponding TGT ticket, the user blob encrypted with TGT session key, and SPN service. It means that the attacker should know the TGT session key to proceed with the PTT attack in order to request for the TGS ticket. If the TGT Session key is not required, then, we can simply get the TGT tickets of pre-auth disabled users, however, we are required to know the TGT session key in this case, that's why we cannot accomplish TGS request.
How PTT works without knowing the TGT session key as this is theoretically impossible?
