You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A linux machine can also be present inside an Active Directory environment.
6
6
7
-
A linux machine in an AD might be **storing different CCACHE tickets inside files. This tickets can be used and abused as any other kerberos ticket**. In order to read this tickets you will need to be the user owner of the ticket or **root**inside the machine.
7
+
A Linux machine inside an AD can **store Kerberos material locally**: user ccaches, machine/service keytabs, and SSSD-managed secrets. These artefacts can usually be reused as any other Kerberos credential. In order to read most of them you will need to be the user owner of the ticket or **root**on the machine.
8
8
9
9
## Enumeration
10
10
@@ -28,6 +28,27 @@ FreeIPA is an open-source **alternative** to Microsoft Windows **Active Director
28
28
../freeipa-pentesting.md
29
29
{{#endref}}
30
30
31
+
### Domain-joined host artefacts
32
+
33
+
Before touching tickets, identify **how the host was joined to AD** and **where Kerberos material is really stored**. On modern Linux hosts this is commonly handled by `realmd` + `adcli` + `sssd`, not just flat files in `/tmp`:
This quickly tells you whether the host trusts AD, whether SSSD is caching identities or tickets, and whether **machine/service keytabs** or **KCM secrets** are available for abuse.
51
+
31
52
## Playing with tickets
32
53
33
54
### Pass The Ticket
@@ -39,19 +60,28 @@ In this page you are going to find different places were you could **find kerber
If you want the **Linux-specific ticket harvesting workflows** (`FILE`, `DIR`, `KEYRING`, `KCM`, `/proc`, etc.), check the dedicated page:
43
64
44
-
CCACHE files are binary formats for **storing Kerberos credentials** are typically stored with 600 permissions in `/tmp`. These files can be identified by their **name format, `krb5cc_%{uid}`,** correlating to the user's UID. For authentication ticket verification, the **environment variable `KRB5CCNAME`** should be set to the path of the desired ticket file, enabling its reuse.
List the current ticket used for authentication with `env | grep KRB5CCNAME`. The format is portable and the ticket can be **reused by setting the environment variable** with `export KRB5CCNAME=/tmp/ticket.ccache`. Kerberos ticket name format is `krb5cc_%{uid}` where uid is the user UID.
71
+
CCACHE files are binary formats for **storing Kerberos credentials**. `FILE:/tmp/krb5cc_%{uid}` is still common, but modern Linux deployments also use `DIR:/run/user/%{uid}/krb5cc*`, `KEYRING:persistent:%{uid}`, or `KCM:%{uid}`. Check the **`KRB5CCNAME`** environment variable and the `default_ccache_name` setting before assuming tickets live in `/tmp`.
47
72
48
73
```bash
49
-
# Find tickets
50
-
ls /tmp/ | grep krb5cc
51
-
krb5cc_1000
74
+
# Where is the current process reading credentials from?
Service account keys, essential for services operating with root privileges, are securely stored in **`/etc/krb5.keytab`** files. These keys, akin to passwords for services, demand strict confidentiality.
96
129
97
-
To inspect the keytab file's contents, **`klist`** can be employed. The tool is designed to display key details, including the **NT Hash** for user authentication, particularly when the key type is identified as 23.
130
+
To inspect the keytab file's contents, **`klist`** can be employed. On Linux, `klist -k -K -e` prints the principals, key version numbers, encryption types, and raw key material. If the key type is **23 / RC4-HMAC**, the key value is also the **NT hash** of that principal.
#Output includes service principal details and the NT Hash
133
+
klist -k -K -e /etc/krb5.keytab
134
+
#RC4-HMAC entries expose reusable NTLM material; AES entries do not
102
135
```
103
136
104
-
For Linux users, **`KeyTabExtract`** offers functionality to extract the RC4 HMAC hash, which can be leveraged for NTLM hash reuse.
137
+
For Linux users, **`KeyTabExtract`** offers functionality to extract the RC4 HMAC hash, which can be leveraged for NTLM hash reuse. Note that this only helps when the keytab still contains **etype 23 / RC4-HMAC** material. In **AES-only** environments you may not get a reusable NT hash, but you can still authenticate directly with the keytab via Kerberos.
105
138
106
139
```bash
107
140
python3 keytabextract.py krb5.keytab
@@ -114,17 +147,86 @@ On macOS, **`bifrost`** serves as a tool for keytab file analysis.
### Reuse the machine account from `/etc/krb5.keytab`
161
+
162
+
On `realmd`/`adcli`/`sssd` joined systems, `/etc/krb5.keytab` usually contains the **computer account** and one or more **host/service principals**. If you have **root**, don't just dump it: use one of the principals listed by `klist -k` to request a TGT and operate as the Linux host itself.
# Validate LDAP / service access using that machine identity
173
+
ldapwhoami -Y GSSAPI -H ldap://dc.domain.local
174
+
kvno ldap/dc.domain.local
121
175
```
122
176
177
+
This is especially useful when the **computer object** itself has delegated rights in AD or when the host is allowed to retrieve other secrets such as a **gMSA**.
178
+
179
+
### Reuse stolen Kerberos material with Linux-first AD tooling
180
+
181
+
Once you have a valid `ccache` or a usable keytab, you can operate against AD **directly from Linux** without converting everything to Windows formats first. Many modern tools accept `KRB5CCNAME` / Kerberos auth natively:
182
+
183
+
```bash
184
+
# Reuse a stolen cache with bloodyAD for LDAP-side actions
### Linux gMSA / Managed Service Account artefacts
203
+
204
+
Recent Linux deployments can consume **Managed Service Accounts** directly from AD. In practice this means that, after compromising a Linux server, you may find not only the host keytab but also **service-specific keytabs** generated from a gMSA. Common places to inspect are `/etc/gmsad.conf`, deployment-specific config files, and additional `*.keytab` files under `/etc`.
205
+
206
+
```bash
207
+
# Look for gMSA-related configuration and extra keytabs
This gives you a reusable Kerberos identity for the SPNs bound to that gMSA **without touching any Windows endpoint**. For **domain-side** gMSA/dMSA abuse after higher privileges in AD, check:
0 commit comments