hacktricks/pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md

28 lines
2.7 KiB
Markdown
Raw Normal View History

# Harvesting tickets from Linux
On Linux, **tickets are stored in credential caches or ccaches**. There are 3 main types, which indicate where **tickets can be found:**
2021-11-30 16:46:07 +00:00
* **Files**, by default under **/tmp** directory, in the form of **krb5cc\_%{uid}.**
* **Kernel Keyrings**, an special space in the Linux kernel provided for storing keys.
* **Process memory,** used when only one process needs to use the tickets.
2021-11-30 16:46:07 +00:00
To verify what type of storage is used in a specific machine, the variable _**default\_ccache\_name**_** ** must be checked in the **/etc/krb5.conf** file, which by default has read permission to any user. In case of this parameter being missing, its default value is _FILE:/tmp/krb5cc\_%{uid}_.
2021-11-30 16:46:07 +00:00
In order to extract **tickets from the other 2 sources** (keyrings and processes), a great paper, [**Kerberos Credential Thievery (GNU/Linux)**](https://www.delaat.net/rp/2016-2017/p97/report.pdf), released in 2017, explains ways of recovering the tickets from them.
#### Keyring - From the paper
2021-11-30 16:46:07 +00:00
> The **Linux kernel** has a feature called **keyrings**. This is an **area of memory residing** within the kernel that is used to **manage and retain keys**.
>
> The **keyctl system call** was introduced in kernel version 2.6.10 5 . This provides **user space applications an API** which can be used to interact with kernel keyrings.
2021-11-30 16:46:07 +00:00
> The **name of the keyring** in use can be parsed from the **Kerberos configuration file /etc/krb5.conf** which has read permission enable for anybody (octal 644) by default. An attacker can then leverage this information to **search for ticket** 11 containing keyrings and extract the tickets. A proof of concept script that implements this functionality can be seen in Section A.2 **(hercules.sh)**. In a keyring the ccache is stored as components. As seen in Figure 2, a file ccache is made up of 3 distinct components: header, default principal, and a sequence of credentials. A **keyring holds the default principal and credentials**. This script will dump these components to separate files. Then using an **attacker synthesised header** these pieces are combined in the correct order to **rebuild a file ccache**. This rebuilt file can then be exfiltrated to an attacker machine and then used to impersonate a Kerberos user. A simple program for generating a valid ccache header can be seen in Section A.3.
2021-11-30 16:46:07 +00:00
Based on the **heracles.sh script** (from the paper) a C tool you can use (created by the author of the complete post) is [**tickey**](https://github.com/TarlogicSecurity/tickey)**, and it extracts tickets from keyrings:**
```
/tmp/tickey -i
```
2021-11-30 16:46:07 +00:00
**This information was taken from:** [**https://www.tarlogic.com/en/blog/how-to-attack-kerberos/**](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/)****